python-sdk
Warn
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: Documentation files references/tool-builder.md and references/agent-patterns.md include code snippets that utilize the eval() function to handle logic defined in tool arguments (e.g., result = eval(call.args['expression'])). This is an unsafe coding pattern that allows for arbitrary code execution. If an agent follows these examples when implementing tools, it creates a high-risk vulnerability.- [EXTERNAL_DOWNLOADS]: The skill instructions direct the installation of the inferencesh package from PyPI and suggest adding external skills using npx. While these are necessary for the skill's stated purpose of providing an SDK for the inference.sh service, they involve fetching and executing remote code from package registries.
Audit Metadata