servicenow-change-workflow
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands using environment variables (e.g., $SERVICENOW_MCP_SCRIPT, $PYATS_MCP_SCRIPT, $GAIT_MCP_SCRIPT) to invoke Python scripts via a wrapper ($MCP_CALL). This is a standard pattern for this type of agent skill but constitutes dynamic command execution.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its interaction with untrusted external data.
- Ingestion points: Data enters the agent context through ServiceNow incident lists (
list_incidents), change request details (get_change_request_details), and network device outputs (pyats_run_show_command,pyats_show_logging). - Boundary markers: The instructions do not define clear delimiters or use 'ignore embedded instructions' markers when processing the output of these tools.
- Capability inventory: The agent has significant capabilities, including the ability to approve change requests (
approve_change) and modify network device configurations (pyats_configure_device). - Sanitization: No explicit sanitization or validation of the data retrieved from external APIs or device CLI outputs is performed before it is used to make logic decisions (e.g., the 'Decision gate' in Phase 0 and Phase 4).
Audit Metadata