skills/skill-zero/s/python-sdk/Gen Agent Trust Hub

python-sdk

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: CRITICALCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis

================================================================================

🔴 VERDICT: CRITICAL

This skill contains a critical command execution vulnerability due to the use of eval() on user-controlled input within a tool handler example. This allows arbitrary Python code execution. Additionally, the skill involves installing external dependencies, making network requests to a third-party service, uploading local files, and defining tools that can delete files or make calls to arbitrary webhooks, which introduce significant data exfiltration and command execution risks.

Total Findings: 17

🔴 CRITICAL Findings: • Command Execution (eval)

  • references/tool-builder.md: Line 265: eval(call.args["expression"])

🔴 HIGH Findings: • Data Exfiltration (File Uploads)

  • SKILL.md: Line 79: client.upload_file("/path/to/image.png") • Data Exfiltration (File Uploads
  • Base64)
  • references/files.md: Line 57: b64 = base64.b64encode(f.read()).decode() • Data Exfiltration (Agent File Attachments)
  • SKILL.md: Line 266: files=[f.read()] • Data Exfiltration (Arbitrary Webhooks)
  • SKILL.md: Line 209: webhook_tool("slack", "https://hooks.slack.com/...") • Data Exfiltration (Browser Automation)
  • references/sessions.md: Line 109: client.run({"app": "browser-automation", "input": {"action": "click", "selector": "#login-btn"}, "session": session_id}) • Privilege Escalation/Command Execution (File Deletion Tool)
  • references/agent-patterns.md: Line 104: tool("delete_file").describe("Delete a file from the filesystem") • Command Execution (Internal Tools
  • code_execution)
  • SKILL.md: Line 230: internal_tools().code_execution(True)

🟡 MEDIUM Findings: • Unverifiable Dependency (inferencesh)

  • SKILL.md: Line 11: pip install inferencesh • Unverifiable Dependency (tqdm)
  • references/async-patterns.md: Line 149: from tqdm.asyncio import tqdm • Unverifiable Dependency (requests)
  • references/files.md: Line 106: import requests • Unverifiable Dependency (aiohttp)
  • references/files.md: Line 122: import aiohttp • External Downloads (inference.sh API calls)
  • SKILL.md: Line 15: client = inference(api_key="inf_your_key") • External Downloads (Tavily Search)
  • references/agent-patterns.md: Line 50: app_tool("search", "tavily/search-assistant@latest") • External Downloads (Arbitrary URLs for download)
  • references/files.md: Line 106: response = requests.get(image_url) • Credentials Unsafe (Direct API Key in example)
  • SKILL.md: Line 28: client = inference(api_key="inf_your_key") • Credentials Unsafe (GITHUB_TOKEN secret)
  • references/tool-builder.md: Line 140: .secret("GITHUB_TOKEN")

🔵 LOW Findings: • Indirect Prompt Injection Susceptibility

  • The skill interacts with LLMs and processes user input, making it inherently susceptible to indirect prompt injection from processed content.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 12, 2026, 09:57 AM
Security Audit — agent-trust-hub — python-sdk