explore-code
Warn
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/write_outputs.pyutilizesimportlib.utilto dynamically load and execute a module from a path computed at runtime (../../../shared/scripts/write_explore_bundle.py). This technique allows for the execution of code residing outside the skill's controlled package environment, which is a significant security risk as it bypasses standard module isolation. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via
scripts/plan_code_changes.py. It reads untrusted JSON data from user-provided file paths and uses this content to construct instructions and adaptation tracks that guide the agent's behavior. - Ingestion points: Untrusted data is ingested from files specified by the
--variant-spec-json,--idea-card-json, and--analysis-jsoncommand-line arguments. - Boundary markers: There are no boundary markers or instructions to ignore embedded commands within the processed JSON data.
- Capability inventory: The skill includes capabilities for comprehensive file system scanning (
rglob) and dynamic code loading/execution (importlib). - Sanitization: The skill parses JSON but performs no validation or sanitization against a strict schema to prevent malicious instruction embedding within the research adaptation plan.
Audit Metadata