dag-typesafe
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
compile.pyscript generates Python or TypeScript source code based on a DAG plan. This plan includes 'certificate predicates' (boolean expressions) that are directly interpolated into the generated executable. Although the script performs AST-based validation against a whitelist of safe nodes and functions, generating executable code from LLM-influenced output is a high-risk pattern that could lead to code execution if the validator is bypassed.\n- [DATA_EXFILTRATION]: Thecompose.pyscript sends the repository's 'registry' (a JSON representation of the public API surface including signatures and docstrings) to external LLM providers (configured viaDAG_LLM_BASE_URL). This exposes internal code structure and documentation to third-party services.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Theanalyzecommand extracts docstrings and types from the target repository, which are then used to build the prompt incompose.py. Malicious content embedded in the repository's source code could influence the LLM to generate an unsafe or incorrect DAG plan.\n- [COMMAND_EXECUTION]: The skill relies on executing several Python scripts (analyze.py,compose.py,compile.py) that perform extensive file system operations, including walking the repository directory and writing generated JSON and source files to disk.
Audit Metadata