get-qualified-leads-from-luma
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted attendee data (bios, titles, company names) scraped from public Luma events and interpolates this content into a prompt for lead qualification. This creates a surface where an attacker could embed malicious instructions in their Luma profile to manipulate the qualification results or subsequent agent actions.
- Ingestion points: Luma attendee data extracted via
scrape_event.py(SKILL.md, Step 1). - Boundary markers: Absent; the qualification task (SKILL.md, Step 3) does not appear to use delimiters or explicit instructions to ignore embedded commands in the attendee data.
- Capability inventory: Subprocess execution (python3), file system writes (/tmp/), network POST requests (urllib.request), and Google Sheets API access (SKILL.md).
- Sanitization: Absent; the skill does not mention filtering or escaping the scraped text before processing it with an LLM.
- [DATA_EXFILTRATION]: The skill transmits extracted lead data, including names and LinkedIn URLs, to a user-provided Slack webhook URL using
urllib.request(SKILL.md, Step 5). While this is the intended functionality, it constitutes a network operation to a non-whitelisted external domain. - [COMMAND_EXECUTION]: The skill executes local Python scripts (
scrape_event.py) using thepython3command to perform data scraping (SKILL.md, Step 1).
Audit Metadata