q-scholar
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONSAFE
Full Analysis
- [DYNAMIC_EXECUTION]: The script
q-multimodal/scripts/gemini/batch/utils.pyemploysimportlib.utilto dynamically load and execute a configuration file (pipeline_config.py). This pattern allows for the execution of arbitrary Python code defined within the configuration file at runtime. - [COMMAND_EXECUTION]: The media processing scripts
q-multimodal/scripts/opensmile/audio_features.pyandq-multimodal/scripts/pillow/video_features.pyutilizesubprocess.runto invokeffmpegfor audio and frame extraction. While these calls use list-based arguments (which is generally safer), they operate on file paths derived directly from user-provided datasets (Excel/CSV), which could lead to unexpected behavior if path names are maliciously crafted. - [INDIRECT_PROMPT_INJECTION]: The
q-multimodalandq-tfsub-skills ingest untrusted data from user-provided tabular files (e.g., image captions, document text) and interpolate this content directly into prompts sent to the Gemini API. - Ingestion points: Dataset files loaded via
pandas.read_excelinq-multimodal/scripts/gemini/batch/0uploadMedia.pyandq-tf/scripts/classify_outliers.py. - Boundary markers: The skill lacks explicit delimiters or instructions to ignore embedded commands within the ingested metadata and text fields.
- Capability inventory: The skill has the ability to write files (checkpoints), perform network operations (Gemini API), and execute shell commands (
ffmpeg). - Sanitization: There is no evidence of sanitization or escaping for the user-provided text before it is sent to the LLM.
- [DATA_EXPOSURE]: The skill requires the use of API keys (
GOOGLE_API_KEY,GEMINI_API_KEY) stored in.envfiles. While this is a standard and recommended practice for secret management, the skill's media upload scripts have broad read access to the local filesystem to process datasets and media files.
Audit Metadata