Skills
skills/avvale/aurora-front/aurora-sheets-sync/Gen Agent Trust Hub

aurora-sheets-sync

Pass

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill references and manages a Google Service Account JSON file at 'scripts/aurora-sheets-sync/credentials/service-account.json' to authenticate with the Google Sheets API.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute 'npm install' for dependency management and 'npx ts-node' to run local synchronization scripts.
  • [EXTERNAL_DOWNLOADS]: Running 'npm install' results in the download and installation of third-party packages from the NPM registry.
  • [PROMPT_INJECTION]: The skill reads data from external Google Spreadsheets and writes it to local YAML files, which presents a surface for indirect prompt injection.
  • Ingestion points: The 'pull' command reads content from a remote 'spreadsheetId' defined in the configuration.
  • Boundary markers: No specific delimiters or instructions are used to separate spreadsheet data from the system's generation logic.
  • Capability inventory: The skill possesses 'Bash', 'Write', and 'Edit' capabilities, allowing it to modify files in the local environment.
  • Sanitization: There is no documented validation or sanitization of spreadsheet cell content before it is transformed into YAML properties.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 9, 2026, 11:36 PM