real-estate-workflows
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by scraping external listing URLs via Firecrawl and interpolating the results directly into script generation prompts for Gemini AI.
- Ingestion points: The
listingUrlprovided in the workflow request is processed by thescrapePropertyfunction inrules/url-to-video.md. - Boundary markers: The prompt templates
SHOWCASE_PROMPTandSOCIAL_PROMPTlack explicit boundary markers or delimiters (like XML tags or 'ignore instructions' warnings) when injecting the JSON-stringified property data. - Capability inventory: The skill possesses significant capabilities including file writing (
Write), shell access (Bash), and network operations via webhooks and external SDKs. - Sanitization: While the code references
validatePropertyData, the logic is not provided, and the AI output is directly parsed as JSON, which can be manipulated if the source listing contains malicious instructions. - [DATA_EXFILTRATION]: The workflow includes a webhook notification system that sends POST requests to a
webhookUrl. If this URL is user-controlled and not restricted, it could be used for Server-Side Request Forgery (SSRF) to interact with internal services or exfiltrate metadata. - [EXTERNAL_DOWNLOADS]: The implementation relies on standard SDKs from well-known technology providers for its core pipeline, including
@google/generative-aifor scripting,openaifor text-to-speech, and@remotion/lambdafor video rendering. These are documented as trusted integrations within the skill's context.
Audit Metadata