weekly-kpi-report
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Vulnerability to Indirect Prompt Injection. The skill processes untrusted external data from user-uploaded Excel and CSV files to generate report titles, insights, and actionable recommendations. * Ingestion points: 'scripts/data_validator.py' and 'scripts/kpi_calculator.py' read content from external files. * Boundary markers: There are no explicit delimiters or system instructions provided to treat the insurance data as untrusted or to ignore embedded instructions during the report generation phase. * Capability inventory: The skill executes local Python scripts and writes output files to the filesystem. * Sanitization: While a 'data_validator.py' is used, its documented purpose is business logic and data quality validation rather than security sanitization of string inputs.
- [COMMAND_EXECUTION] (SAFE): The skill executes internal Python scripts to perform calculations and generate presentations. This is the intended primary function and does not involve executing arbitrary user-provided commands.
Audit Metadata