newsletter-sponsorship-finder
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [SAFE]: No malicious patterns, obfuscation, or unauthorized command execution were detected. The skill performs its described intelligence-gathering function using standard methods.- [EXTERNAL_DOWNLOADS]: The helper script
scripts/search_newsletters.pyuses therequestslibrary to fetch publication data from the Substack API (substack.com). This is a well-known service and the data retrieved is public metadata necessary for the skill's discovery process.- [DATA_EXFILTRATION]: Network operations are restricted to querying the Substack API and performing web searches for public newsletter information. No sensitive local data, environment variables, or user credentials are accessed or transmitted.- [PROMPT_INJECTION]: The skill ingests untrusted data from external sources to generate reports. \n - Ingestion points: Newsletter names and descriptions retrieved from the Substack API and WebSearch results (documented in
scripts/search_newsletters.pyandSKILL.md). \n - Boundary markers: None present in the prompt instructions to delimit external content. \n
- Capability inventory: Writing findings to a markdown report file as described in the Output phase of
SKILL.md. \n - Sanitization: No explicit sanitization or filtering of external text is performed before it is included in the output.
Audit Metadata