pydantic-ai-harness
Warn
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements a
CodeModecapability that allows the agent to generate and execute Python scripts at runtime via arun_codetool. This mechanism is designed to orchestrate tool calls and process data using dynamic logic (loops, branches, andasyncio.gather), which constitutes runtime code generation and execution. - [COMMAND_EXECUTION]: The 'Monty' sandbox used for execution allows the use of the
osandpathlibstandard library modules. This creates a potential surface for file system interaction or system discovery, which could be exploited if the sandbox implementation does not strictly isolate the execution environment from the host's sensitive file paths. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it transforms user-supplied instructions into executable code. Malicious input could attempt to bypass intended logic or perform unauthorized tool orchestration.
- Ingestion points: User prompts are processed by
agent.run_sync()and translated into Python code. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the instructions to protect the code generation process.
- Capability inventory: The
run_codetool has the capability to execute arbitrary logic and call any tool configured within theToolSelector(e.g.,tools='all'). - Sanitization: The skill relies on the Monty sandbox subset restrictions rather than input validation or script sanitization to prevent malicious behavior.
Audit Metadata