simple-report-export
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill processes financial data to generate reports and email content. This creates a surface where untrusted data could potentially influence the agent's behavior.
- Ingestion points: Financial data and user details provided to generate the
Tax_Report.pdf,Financial_Summary.xlsx, andEmail_Draft.txtfiles. - Boundary markers: None identified in the provided documentation or code snippets.
- Capability inventory: File system write access (
C:\ATO\ato-app\reports\) and network access via SMTP (Nodemailer). - Sanitization: No explicit sanitization or validation of the input data is described before it is interpolated into report templates.
- [External Downloads] (SAFE): The skill requires standard Node.js packages (
docx,exceljs,pdfkit,nodemailer) for document generation and email handling. These are well-known, legitimate packages from the npm registry. - [Credentials Unsafe] (SAFE): While the skill uses a Gmail App Password, the provided
GMAIL_APP_PASSWORD=abcdefghijklmnopis a placeholder example and does not constitute a hardcoded secret leak.
Audit Metadata