prior-auth-review-skill
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection because it ingests and processes untrusted clinical documentation from external sources.
- Ingestion points: Clinical documentation, provider credentials, and PA request details are ingested in Subskill 1 (README.md).
- Boundary markers: The skill instructions do not specify the use of delimiters or 'ignore' instructions to isolate untrusted patient data from the reasoning logic.
- Capability inventory: The skill has the capability to write to the file system (waypoints/ and outputs/) and perform network operations via WebFetch and MCP tools.
- Sanitization: There is no evidence of sanitization or filtering of the clinical text before it is used to influence decision-making or generate notification letters.
- EXTERNAL_DOWNLOADS (LOW): The skill uses WebFetch to access the CMS Fee Schedule and utilizes multiple MCP connectors (NPI, ICD-10, CMS Coverage). These are legitimate healthcare tools but involve external network dependencies.
- DATA_EXFILTRATION (SAFE): The skill handles sensitive PII and PHI (Member ID, DOB, clinical records). While these are stored in local JSON/text files, this behavior is aligned with the skill's stated purpose, and no malicious exfiltration patterns were identified.
Audit Metadata