tidy
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses highly sensitive user data, including financial transaction history via the 'query' tool and private communications via email search. While this access is central to the skill's function of matching receipts and identifying merchants, it creates a significant exposure surface for personal and financial information.- [COMMAND_EXECUTION]: The skill utilizes an 'admin' tool with actions to 'preview' and 'create' rules. This allows the agent to modify the persistent configuration of the transaction management system, which represents an administrative capability triggered by the agent's logic.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its workflow involves processing untrusted strings from external sources which could influence its decision-making.
- Ingestion points: Untrusted data enters the context via transaction descriptions (Step 1), merchant information from web search results (Step 2), and order details or receipt content from the user's email (Step 2).
- Boundary markers: There are no specified delimiters or instructions to treat data from these external sources as untrusted or to ignore any embedded instructions.
- Capability inventory: The agent possesses the capability to modify system state through the 'admin' tool for rule creation and the 'categorize' and 'set_party' tools for metadata updates.
- Sanitization: The workflow does not specify any sanitization, filtering, or validation steps for the data retrieved from transactions, the web, or emails before passing it to tool arguments.
Audit Metadata