data-designer
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill frequently executes shell commands to interact with the environment and the
data-designerCLI. This includes resolving the executable path, validating configuration scripts, and generating datasets (e.g.,data-designer validate,data-designer preview, anddata-designer createinworkflows/autopilot.mdandworkflows/interactive.md). - [COMMAND_EXECUTION]: The skill generates Python scripts based on user requirements and subsequently executes them via the
data-designerCLI. While this is the primary function of the skill, it involves the runtime execution of dynamically generated code. - [PROMPT_INJECTION]:
- Indirect Prompt Injection: The skill is vulnerable to indirect prompt injection through the ingestion of external seed datasets as described in
references/seed-datasets.md. - Ingestion points: The skill reads local files (Parquet, CSV, JSON, JSONL) as seed sources to bootstrap data generation.
- Boundary markers: There are no explicit instructions or delimiters provided to the agent to distinguish between valid seed data and potential malicious instructions embedded within the datasets.
- Capability inventory: The skill possesses the capability to write Python scripts and execute shell commands through the
data-designertoolset. - Sanitization: No evidence of sanitization or validation of the content within seed datasets is present before the data is interpolated into Jinja2 templates.
- Instruction Override: The Troubleshooting section in
SKILL.mdcontains an instruction for the agent to suggest retrying commands with the sandbox disabled if network errors occur. Although this action is gated by a request for user permission, it guides the agent to bypass platform security constraints.
Audit Metadata