saltra-integration
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill logs the entire request and response objects at the debug level. This includes highly sensitive Personally Identifiable Information (PII) such as DNI/NIE, Social Security Numbers (NSS), names, and birth dates.
- [CREDENTIALS_UNSAFE]: The debug logging captures the 'cert_secret' (digital certificate secret) which is passed within the data object in the generic operation function. This exposes cryptographic secrets in the application logs.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing external data payloads and transmitting them to a remote API. * Ingestion points: 'datos' parameter in 'nuevaOperacionSaltra'. * Boundary markers: Absent from the implementation. * Capability inventory: Network POST requests via axios. * Sanitization: Documentation mentions Zod validation in a checklist, but no sanitization or validation logic is present in the provided code.
Audit Metadata