mathmodel-figure-templates

Warn

Audited by Gen Agent Trust Hub on Jul 3, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The renderer script scripts/render_template.py executes Python code in a subprocess. Evidence: result = subprocess.run([sys.executable, str(dst)], cwd=str(project), check=False).
  • [COMMAND_EXECUTION]: The execution logic is vulnerable to workspace script hijacking. The skill favors existing files in the destination path over its own bundled templates: if dst.exists() and not args.overwrite: print(f"Using existing workspace script: {dst}"). This allows for a scenario where an agent executes an untrusted script if one is already present in the workspace at the expected path.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 3, 2026, 01:25 PM
Security Audit — agent-trust-hub — mathmodel-figure-templates