data-pipeline
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [SAFE]: Security analysis of the skill configuration, documentation, and metadata revealed no evidence of obfuscation, malicious instructions, or unauthorized data exfiltration.
- [PROMPT_INJECTION]: The skill architecture facilitates the ingestion of external data from multiple sources, which presents a surface for indirect prompt injection.
- Ingestion points: Data is pulled from Shopify, Stripe, PostgreSQL, and various REST/GraphQL APIs.
- Boundary markers: No explicit delimiter or instruction-isolation markers are present in the provided templates.
- Capability inventory: The skill is equipped with tools for database queries, API fetching, and file transformations.
- Sanitization: While the templates demonstrate basic data parsing and cleaning (e.g., type conversion, whitespace trimming), they do not include specific sanitization logic to mitigate prompt injection from external data.
- [COMMAND_EXECUTION]: The skill utilizes JavaScript code blocks for data transformation workflows, representing a dynamic execution surface that is standard for ETL automation tools.
Audit Metadata