backfilling-atproto
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Data Exposure & Exfiltration] (LOW): The skill performs network requests to
public.api.bsky.app,plc.directory, and dynamic PDS endpoints. These domains are not included in the trusted whitelist for network operations. - [Indirect Prompt Injection] (LOW): The skill implements a pattern for ingesting untrusted data from the ATProto network, which could be used for indirect prompt injection.
- Ingestion points: The
list_recordsfunction inSKILL.mdretrieves arbitrary record data from remote PDS endpoints. - Boundary markers: No delimiters or safety instructions are present to distinguish ingested content from the agent's instructions.
- Capability inventory: The skill demonstrates network reads and data iteration; no dangerous execution capabilities (e.g., file-write or subprocess calls) are present in the provided snippets.
- Sanitization: There is no evidence of sanitization or validation of the fetched record values before they are processed.
Audit Metadata