vendor-check
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFE
Full Analysis
- System Integration and Data Access: The skill is designed to interact with internal business systems (CLM, CRM, Email, Document Storage, and Chat) to aggregate vendor information.
- This access is consistent with the skill's primary purpose of providing a consolidated vendor agreement status.
- The workflow explicitly includes a step (Step 6) to handle scenarios where specific systems are not connected, ensuring the agent informs the user about the scope of the data search.
- Indirect Prompt Injection Surface: As the skill processes data from external sources like email and chat, it has an inherent surface for indirect prompt injection if those sources contain malicious instructions.
- Ingestion points: Data enters the context from CLM, CRM, Email, and Chat systems (SKILL.md).
- Boundary markers: None explicitly defined in the instructions for separating data from instructions.
- Capability inventory: The skill primarily performs read operations and data aggregation; no file-writing or subprocess execution capabilities are present.
- Sanitization: No explicit sanitization or filtering of external content is described.
- Privilege and Persistence: The skill does not request elevated permissions (sudo), attempt to modify system configurations, or establish persistence mechanisms.
- External Dependencies: No external package installations (Python/Node.js) or remote code downloads are referenced.
Audit Metadata