pdf-report-generation
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWNO_CODE
Full Analysis
- [No Code] (SAFE): The skill file is composed entirely of markdown documentation, layout specifications, and compliance requirements. There are no executable scripts, shell commands, or logic-bearing code blocks.
- [Indirect Prompt Injection] (LOW): The skill defines a surface for processing external financial data into PDF reports. Ingestion points: Forensic analysis results and Xero API data (mentioned as sources). Boundary markers: None defined in the documentation. Capability inventory: Suggests usage of PDF rendering engines such as Puppeteer, Playwright, or PDFKit. Sanitization: No specific sanitization instructions are provided for the dynamic data being rendered. While this creates a potential surface for injection if an agent were to implement the renderer poorly, the skill itself is purely descriptive and includes security advice such as using signed URLs to avoid exposing local file paths to clients.
Audit Metadata