code-injection_skill

This skill identifies and mitigates code injection vulnerabilities in AI systems by testing prompt-to-code, tool exploitation, and template injection vectors.
  • Python

1

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill pluginagentmarketplace/custom-plugin-ai-red-teaming --skill code-injection

  • SKILL.md6.3 KB

Overview

This skill tests AI systems for code injection vulnerabilities, including prompt-to-code attacks, template injection, agent tool exploitation, and NL-to-SQL abuse. It provides payload sets, test harnesses, and classification guidance to identify risky behaviours and prioritize remediation. Use it to surface critical execution, sandbox escape, and data-exfiltration paths in agent-based and model-integrated systems.

How this skill works

The skill runs categorized payloads against target components and inspects responses and side effects to detect execution, file access, network exfiltration, and SQL injection patterns. It uses explicit code-execution strings, template payloads, and natural-language prompts translated to SQL to reveal unsafe translations. Results are grouped into vulnerable/blocked or vulnerable/safe buckets and annotated with severity to guide remediation.

When to use it

  • During red-team assessments of conversational agents or code-generation models
  • When integrating external tools or execution runtimes into an agent
  • Prior to exposing model outputs to interpreters, templates, or databases
  • After configuration changes to sandboxes, runtime permissions, or plugins
  • To validate mitigations for template rendering and NL-to-SQL translators

Best practices

  • Run tests in isolated environments with strict resource and network controls
  • Cover multiple vectors: direct code payloads, template languages, and NL-to-SQL prompts
  • Classify findings by severity and reproduce with minimal payloads for developer triage
  • Combine static detection (pattern matching) with dynamic checks (execution outcomes)
  • Test variations: obfuscation, encoding, chained actions, and tool-chaining scenarios

Example use cases

  • Probe an agent that can run Python snippets to detect sandbox escapes and arbitrary command execution
  • Validate that a Jinja2-rendered web endpoint blocks server-side template injection payloads
  • Assess an NL-to-SQL translator for semantic injections that exfiltrate schema or run destructive statements
  • Test tool-chaining agents that can call file_read, http_post, or shell tools for data exfiltration risks
  • Measure efficacy of output filtering by attempting obfuscated payloads and encoding bypasses

FAQ

Yes—tests can include payloads that attempt execution. Always run them in controlled, isolated environments with no external network access and minimal privileges.

How are severities assigned?

Severity maps to impact: CRITICAL for arbitrary code execution, sandbox escape, or DB compromise; HIGH for file or limited execution; MEDIUM/LOW for filtered or theoretical issues.

Can this test generate false positives?

Yes. Use minimal reproducer payloads and corroborate dynamic evidence (side effects, returned output) to reduce false positives.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational