dag-typesafe

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The compile.py script generates Python or TypeScript source code based on a DAG plan. This plan includes 'certificate predicates' (boolean expressions) that are directly interpolated into the generated executable. Although the script performs AST-based validation against a whitelist of safe nodes and functions, generating executable code from LLM-influenced output is a high-risk pattern that could lead to code execution if the validator is bypassed.\n- [DATA_EXFILTRATION]: The compose.py script sends the repository's 'registry' (a JSON representation of the public API surface including signatures and docstrings) to external LLM providers (configured via DAG_LLM_BASE_URL). This exposes internal code structure and documentation to third-party services.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. The analyze command extracts docstrings and types from the target repository, which are then used to build the prompt in compose.py. Malicious content embedded in the repository's source code could influence the LLM to generate an unsafe or incorrect DAG plan.\n- [COMMAND_EXECUTION]: The skill relies on executing several Python scripts (analyze.py, compose.py, compile.py) that perform extensive file system operations, including walking the repository directory and writing generated JSON and source files to disk.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 04:39 PM
Security Audit — agent-trust-hub — dag-typesafe