Agent Card Provisioning
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFENO_CODE
Full Analysis
- [NO_CODE]: The skill consists entirely of markdown documentation and API examples. No executable scripts, Python packages, or Node.js dependencies were identified.
- [DATA_EXFILTRATION]: The skill provides access to sensitive financial data, including PAN, CVV, and expiry dates, through the 'proxy.cards.get_sensitive' method. While this constitutes a high-risk data surface, it is a core feature of the intended card provisioning service. No evidence of unauthorized data transfer to untrusted third-party domains was found.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface through user-provided intent data. 1. Ingestion points: 'merchant' and 'description' fields in 'proxy.intents.create'. 2. Boundary markers: No delimiters or protective instructions are documented for these fields. 3. Capability inventory: The skill can issue functional payment instruments (virtual cards). 4. Sanitization: No specific input sanitization is mentioned, though the 'Policy Evaluation' phase acts as a logical control.
Audit Metadata