data-designer

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill frequently executes shell commands to interact with the environment and the data-designer CLI. This includes resolving the executable path, validating configuration scripts, and generating datasets (e.g., data-designer validate, data-designer preview, and data-designer create in workflows/autopilot.md and workflows/interactive.md).
  • [COMMAND_EXECUTION]: The skill generates Python scripts based on user requirements and subsequently executes them via the data-designer CLI. While this is the primary function of the skill, it involves the runtime execution of dynamically generated code.
  • [PROMPT_INJECTION]:
  • Indirect Prompt Injection: The skill is vulnerable to indirect prompt injection through the ingestion of external seed datasets as described in references/seed-datasets.md.
  • Ingestion points: The skill reads local files (Parquet, CSV, JSON, JSONL) as seed sources to bootstrap data generation.
  • Boundary markers: There are no explicit instructions or delimiters provided to the agent to distinguish between valid seed data and potential malicious instructions embedded within the datasets.
  • Capability inventory: The skill possesses the capability to write Python scripts and execute shell commands through the data-designer toolset.
  • Sanitization: No evidence of sanitization or validation of the content within seed datasets is present before the data is interpolated into Jinja2 templates.
  • Instruction Override: The Troubleshooting section in SKILL.md contains an instruction for the agent to suggest retrying commands with the sandbox disabled if network errors occur. Although this action is gated by a request for user permission, it guides the agent to bypass platform security constraints.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 04:35 PM
Security Audit — agent-trust-hub — data-designer