myob-api-integration
Pass
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: LOWNO_CODEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is designed to ingest external data from the MYOB API, including transaction notes, contact details, and payroll information. If this untrusted content contains malicious instructions, it could influence the downstream 'analysis engines'.
- Ingestion points: MYOB API via
lib/integrations/adapters/myob-adapter.tsandlib/integrations/myob-historical-fetcher.ts. - Boundary markers: None mentioned in documentation.
- Capability inventory: Normalizes data for consumption by 16 analysis engines.
- Sanitization: Documentation mentions normalization to a canonical schema, but does not specify natural language sanitization or escaping.
- No Executable Code (INFO): The analysis is limited to a markdown description file. No implementation logic (.ts, .js, .py) was provided for review. Architecture appears standard for OAuth-based integrations.
- Data Exposure & Exfiltration (INFO): The skill's stated purpose is to extract sensitive financial and payroll data. While 'read-only' and 'encrypted tokens' are mentioned, the movement of sensitive data to analysis engines is an inherent part of the skill's function.
Audit Metadata