nimble-agent-builder

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill dynamically generates and executes Python or TypeScript code to perform batch data extraction and agent validation tasks. These scripts are run using uv run or the Node.js runtime. This behavior is central to the skill's primary purpose as an agent builder and includes safety practices like smoke testing a single query before committing to a full batch.
  • [COMMAND_EXECUTION]: Instructions frequently use the Bash tool to execute shell commands. This is used for checking environment readiness, interacting with the Nimble platform CLI (e.g., nimble agent run, nimble search), and running investigation scripts that utilize Playwright to probe website structures.
  • [EXTERNAL_DOWNLOADS]: The skill provides setup instructions that involve downloading and installing external packages, specifically the Nimble CLI (@nimble-way/nimble-cli) and the Python SDK (nimble_python). These resources are official tools provided by the skill's author (Nimbleway).
  • [PROMPT_INJECTION]: The skill processes untrusted data from external websites (via site mapping and search results) to help the user design extraction schemas. This creates an indirect prompt injection surface where malicious content on a scraped page could theoretically influence the agent building process, although the skill utilizes structured reporting to mitigate accidental execution of embedded instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 08:25 PM
Security Audit — agent-trust-hub — nimble-agent-builder