SkillAudit report — pydantic/pydantic-ai

Scanned 2026-04-24 by SkillAudit v0.2 (static checks + LLM-assisted prompt-injection red-team).

Commit: 832c1d8 · Stars: 16583 · Days since last push: 0

LLM prompt-injection probe: no-tool-surface

Overall grade: F (10/100)

Security findings

Production sources:

• WARN docs-site/src/index.ts:27 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

const r = await env.ASSETS.fetch(url)

• WARN docs-site/src/index.ts:79 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

const response: Response = await fetch(url, { headers })

• WARN docs-site/src/index.ts:131 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

const r = await env.ASSETS.fetch(url)

Permissions

_No findings on this axis._

Credentials

Production sources:

• HIGH scripts/verify_bedrock_access.py:18 — print of os.environ — entire env leaks to stdout and LLM context

print(f'AWS_SECRET_ACCESS_KEY: {"set" if os.environ.get("AWS_SECRET_ACCESS_KEY") else "NOT SET"}')

• HIGH scripts/verify_bedrock_access.py:19 — print of os.environ — entire env leaks to stdout and LLM context

print(f'AWS_BEARER_TOKEN_BEDROCK: {"set" if os.environ.get("AWS_BEARER_TOKEN_BEDROCK") else "not set (good)"}')

• HIGH scripts/verify_vertex_gcs.py:58 — print of os.environ — entire env leaks to stdout and LLM context

print(f'Project: {os.environ.get("GOOGLE_PROJECT")}')

• HIGH scripts/verify_vertex_gcs.py:59 — print of os.environ — entire env leaks to stdout and LLM context

print(f'Location: {os.environ.get("GOOGLE_LOCATION", "global")}')

• HIGH scripts/verify_vertex_gcs_all_types.py:71 — print of os.environ — entire env leaks to stdout and LLM context

print(f'Project: {os.environ.get("GOOGLE_PROJECT")}')

Test-site findings (lower weight): 1 total in test/ paths — first 3 shown

• HIGH tests/conftest.py:755 — Hardcoded AWS access key found in source

AKIA*** (AWS access key, 20 chars)

Maintenance

Production sources:

• WARN (meta) — 503 open issues — triage backlog

503 open

Compatibility

_No findings on this axis._

Documentation

Production sources:

• WARN (meta) — No SECURITY.md — no disclosure channel for vulnerabilities

missing

Methodology

SkillAudit v0.2 clones the repo at the provided ref (default: default branch, HEAD) into an ephemeral sandbox, runs six static checks over .js/.ts/.py sources, queries the GitHub API for maintenance signals, and runs an LLM-assisted prompt-injection red-team over the MCP tool surface. Each axis is scored against the rubric at .

The prompt-injection axis extracts each server.tool(...) / @app.tool registration + the first ~60 lines of handler body, hands them to Claude Haiku 4.5 with a red-team system prompt, and asks for structured findings on untrusted-content flow into tool responses. One API call per scan, bounded at ~15K input tokens.

How to improve this grade

• Security — static: validate tool-input URLs against an allowlist before fetch/axios calls; use execFile with argv arrays instead of exec with template strings; never pass untrusted strings to subprocess with shell=True.
• Security — prompt injection: never return fetched web-page / file / email content verbatim in a tool response. Wrap with a framing marker (e.g., <untrusted-content>...</untrusted-content>), summarize rather than inline, and never let untrusted content share a turn with credentials or other tool output.
• Credentials findings: redact env-var reads before log lines and error messages; treat any string that ends up in a tool response as public.
• Maintenance: if the repo is inactive, document the maintenance model — "MCP tool, no breaking changes expected" is a legitimate signal.
• Docs: add a README install + usage section with a copy-pasteable command; add a SECURITY.md with a disclosure channel.

_Report generated by skillaudit.dev_