create-proposal
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script
scripts/read_sheet.pysaves sensitive Google OAuth2 tokens to a local filetoken.json. Storing credentials in predictable plaintext files on the local filesystem increases the risk of exposure if the environment is shared or compromised.\n- [COMMAND_EXECUTION]: TheSKILL.mdinstructions direct the agent to execute Python scripts via the bash shell using heredocs to pass dynamically generated JSON input. While the use of quoted heredocs (<<'EOF') prevents shell interpolation, the script still executes logic based on LLM-generated data.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it extracts strategic content from untrusted sources, such as sales call transcripts, without using boundary markers or sanitization.\n - Ingestion points: The
call_transcriptinput field inSKILL.mdaccepts raw external data that is processed to generate proposal content.\n - Boundary markers: Absent. The instructions do not define delimiters (e.g., XML tags) to isolate the transcript data from the agent's internal reasoning.\n
- Capability inventory: The skill possesses network access to the PandaDoc and Google APIs via
requestsandgspread, and has write access to the filesystem for temporary data and credential storage.\n - Sanitization: Absent. The skill extracts problems and benefits directly from user-provided transcripts and interpolates them into formal document tokens without validation.
Audit Metadata