pydantic-ai-harness

Warn

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill implements a CodeMode capability that allows the agent to generate and execute Python scripts at runtime via a run_code tool. This mechanism is designed to orchestrate tool calls and process data using dynamic logic (loops, branches, and asyncio.gather), which constitutes runtime code generation and execution.
  • [COMMAND_EXECUTION]: The 'Monty' sandbox used for execution allows the use of the os and pathlib standard library modules. This creates a potential surface for file system interaction or system discovery, which could be exploited if the sandbox implementation does not strictly isolate the execution environment from the host's sensitive file paths.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it transforms user-supplied instructions into executable code. Malicious input could attempt to bypass intended logic or perform unauthorized tool orchestration.
  • Ingestion points: User prompts are processed by agent.run_sync() and translated into Python code.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the instructions to protect the code generation process.
  • Capability inventory: The run_code tool has the capability to execute arbitrary logic and call any tool configured within the ToolSelector (e.g., tools='all').
  • Sanitization: The skill relies on the Monty sandbox subset restrictions rather than input validation or script sanitization to prevent malicious behavior.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 12, 2026, 08:35 PM
Security Audit — agent-trust-hub — pydantic-ai-harness