just-fucking-cancel
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted external data from bank transaction CSVs which provides a significant attack surface. * Ingestion points: SKILL.md (Workflow Step 1) specifies reading bank/card CSV exports (Apple Card, Chase, Mint). * Boundary markers: Absent. No delimiters or 'ignore embedded instructions' warnings are mentioned for processing CSV fields like merchant descriptions. * Capability inventory: Step 5 (Browser automation to navigate and cancel) and Step 4 (HTML file generation) provide high-privilege execution and write capabilities. * Sanitization: Absent. There is no mention of escaping or validating CSV content before it is interpolated into the HTML audit or browser automation scripts.
- Data Exposure & Exfiltration (HIGH): The skill accesses and processes highly sensitive financial data. * Exposure: Reads CSV files containing full transaction histories and financial metadata. * Risk: The 'Privacy' section's claim that data stays local is a self-referential statement that cannot be verified. If the agent has network access, this financial data could be exfiltrated.
- Command Execution (HIGH): The workflow involves 'browser automation to navigate and cancel' services. * Risk: Automated browser control is a powerful capability. If the navigation logic is influenced by malicious strings within the untrusted CSV data (e.g., a merchant name that is actually a URL or script), it could lead to unauthorized actions or navigation to malicious domains.
Recommendations
- AI detected serious security threats
Audit Metadata