mtpy
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: All components of the skill, including the scripts and documentation, are consistent with the stated purpose of magnetotelluric data analysis. The dependencies (mtpy, numpy, matplotlib, pandas) are standard scientific packages. The script logic in
scripts/mt_analysis.pyfollows best practices for data processing and does not request excessive privileges or perform network operations. A minor metadata discrepancy exists between the author name in the skill files (Geoscience Skills) and the system context (SteadfastAsArt), but this does not pose a security risk. - [PROMPT_INJECTION]: The skill processes external data via EDI files, which introduces an indirect prompt injection surface through metadata fields such as station names or info sections.
- Ingestion points: EDI files are loaded in
scripts/mt_analysis.py(line 39) andSKILL.md(lines 19, 44) using themtpy.MTandMTCollectionclasses. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when metadata from the files is processed.
- Capability inventory: The skill's capabilities are restricted to local file operations (reading EDI, writing CSV/Excel/PNG). It lacks network access, subprocess execution, or persistence mechanisms.
- Sanitization: The skill relies on the mtpy library's internal parser. While it does not explicitly sanitize text strings before display or processing, the limited capabilities of the skill render this surface non-exploitable for significant malicious actions.
Audit Metadata