bid-leveling
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [External Downloads] (LOW): The script
scripts/generate_pdf.pyutilizes thereportlablibrary for PDF generation. This is a well-established and trusted package within the Python ecosystem, posing negligible risk in standard environments. - [Indirect Prompt Injection] (LOW): The skill is designed to process external, untrusted documents (bids, proposals). There is an inherent risk that an attacker could embed instructions in a bid document to manipulate the AI's extraction logic (e.g., hiding exclusions or inflating values).
- Ingestion points:
scripts/generate_pdf.pyprocesses the structured output derived from bid documents. - Boundary markers: No explicit delimiters are defined in the instructions to prevent the model from following instructions found within the bid text.
- Capability inventory: The skill can write files to the local system (the generated PDF report) but lacks network or shell execution capabilities.
- Sanitization: The PDF generator uses
reportlab.platypus.Paragraphwhich renders text but does not execute it; however, there is no logic to sanitize the content extracted from the bids for deceptive language.
Audit Metadata