onboarding-kickoff
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection in
scripts/casualize_company_names_batch.pyandscripts/instantly_create_campaigns.py. Untrusted content is interpolated directly into prompts for Claude. - Ingestion points: Business names are read from Google Sheets in
casualize_company_names_batch.py; client descriptions and offers are ingested from kickoff call data ininstantly_create_campaigns.py. - Boundary markers: Absent. The scripts use f-strings to embed data directly into prompts without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill can execute local scripts via subprocess, interact with the Instantly API to create email campaigns, and send emails via the Gmail API.
- Sanitization: No validation or escaping is applied to the data before it is sent to the LLM.
- [COMMAND_EXECUTION]: The orchestration script
scripts/onboarding_post_kickoff.pyusessubprocess.runto chain multiple tools. While it uses list-based arguments to mitigate shell injection, the execution of multiple sub-scripts based on user-controlled variables increases the attack surface if inputs are not strictly validated.
Audit Metadata