python-executor
Fail
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's primary function is to send and execute arbitrary Python code to the inference.sh cloud environment via the
beltCLI tool. - [COMMAND_EXECUTION]: The skill utilizes the
beltcommand-line interface to interact with the remote service, requiring the agent to execute shell commands with user-influenced arguments. - [EXTERNAL_DOWNLOADS]: The skill references and encourages the download of installation scripts from
github.com/inference-sh, which is an external source not included in the primary trusted list. - [DATA_EXFILTRATION]: The remote execution environment is pre-installed with network-capable libraries such as
requests,httpx,selenium, andplaywright, which allow the code to transmit data to arbitrary external endpoints. - [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection (Category 8) where an attacker could influence the agent to generate and execute malicious Python scripts.
- Ingestion points: The
codefield in the JSON input for thebelt app runcommand. - Boundary markers: None found. There are no instructions or delimiters provided to ensure the agent handles user-influenced code safely.
- Capability inventory: The execution environment has full Python capabilities, including network access (via
requests), browser automation (viaplaywright), and file system access within the sandbox. - Sanitization: No sanitization or validation mechanisms are described to inspect the code before execution.
Recommendations
- AI detected serious security threats
Audit Metadata