Skills
skills/atemndobs/nebula-rfp/proposal-builder/Gen Agent Trust Hub

proposal-builder

Pass

Audited by Gen Agent Trust Hub on Feb 26, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect prompt injection surface identified in the proposal assembly logic.\n
  • Ingestion points: External RFP data enters the context via the matchBlocksToRfp and assembleProposal functions, specifically using rfp.title and rfp.description fields.\n
  • Boundary markers: Absent. The skill uses standard string replacement (e.g., {{PROJECT_TITLE}}) to build the final document without delimiters or instructions to ignore embedded commands.\n
  • Capability inventory: The skill utilizes the Read, Grep, and Glob tools for filesystem access and Convex mutations for database persistence.\n
  • Sanitization: Absent. Untrusted external content from the RFP object is interpolated directly into the proposal content without validation or escaping.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 26, 2026, 03:08 PM