python-sdk
Audited by Gen Agent Trust Hub on Feb 12, 2026
================================================================================
🔴 VERDICT: CRITICAL
This skill contains a critical command execution vulnerability due to the use of eval() on user-controlled input within a tool handler example. This allows arbitrary Python code execution. Additionally, the skill involves installing external dependencies, making network requests to a third-party service, uploading local files, and defining tools that can delete files or make calls to arbitrary webhooks, which introduce significant data exfiltration and command execution risks.
Total Findings: 17
🔴 CRITICAL Findings: • Command Execution (eval)
- references/tool-builder.md: Line 265:
eval(call.args["expression"])
🔴 HIGH Findings: • Data Exfiltration (File Uploads)
- SKILL.md: Line 79:
client.upload_file("/path/to/image.png")• Data Exfiltration (File Uploads - Base64)
- references/files.md: Line 57:
b64 = base64.b64encode(f.read()).decode()• Data Exfiltration (Agent File Attachments) - SKILL.md: Line 266:
files=[f.read()]• Data Exfiltration (Arbitrary Webhooks) - SKILL.md: Line 209:
webhook_tool("slack", "https://hooks.slack.com/...")• Data Exfiltration (Browser Automation) - references/sessions.md: Line 109:
client.run({"app": "browser-automation", "input": {"action": "click", "selector": "#login-btn"}, "session": session_id})• Privilege Escalation/Command Execution (File Deletion Tool) - references/agent-patterns.md: Line 104:
tool("delete_file").describe("Delete a file from the filesystem")• Command Execution (Internal Tools - code_execution)
- SKILL.md: Line 230:
internal_tools().code_execution(True)
🟡 MEDIUM Findings: • Unverifiable Dependency (inferencesh)
- SKILL.md: Line 11:
pip install inferencesh• Unverifiable Dependency (tqdm) - references/async-patterns.md: Line 149:
from tqdm.asyncio import tqdm• Unverifiable Dependency (requests) - references/files.md: Line 106:
import requests• Unverifiable Dependency (aiohttp) - references/files.md: Line 122:
import aiohttp• External Downloads (inference.sh API calls) - SKILL.md: Line 15:
client = inference(api_key="inf_your_key")• External Downloads (Tavily Search) - references/agent-patterns.md: Line 50:
app_tool("search", "tavily/search-assistant@latest")• External Downloads (Arbitrary URLs for download) - references/files.md: Line 106:
response = requests.get(image_url)• Credentials Unsafe (Direct API Key in example) - SKILL.md: Line 28:
client = inference(api_key="inf_your_key")• Credentials Unsafe (GITHUB_TOKEN secret) - references/tool-builder.md: Line 140:
.secret("GITHUB_TOKEN")
🔵 LOW Findings: • Indirect Prompt Injection Susceptibility
- The skill interacts with LLMs and processes user input, making it inherently susceptible to indirect prompt injection from processed content.
================================================================================
- AI detected serious security threats