csv-export
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill implements functionality to export sensitive procurement records from the application's Convex database to the user's local file system. This is the primary intended behavior and is triggered by user interaction with UI components.
- [PROMPT_INJECTION]: The skill contains a processing surface for untrusted data during file generation. • Ingestion points: Data is retrieved from the 'rfps', 'evaluations', and 'pursuits' tables in the Convex database (convex/exports.ts). • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used during data concatenation. • Capability inventory: The skill utilizes the 'Read', 'Grep', and 'Glob' tools and triggers client-side file downloads. • Sanitization: The 'escapeForCsv' function (services/csvExport.ts) handles standard CSV delimiters and quotes but does not sanitize for formula injection characters such as '=', '+', '-', or '@', which is a best-practice violation rather than a malicious behavior.
Audit Metadata