Skills
skills/daymade/claude-code-skills/promptfoo-evaluation/Gen Agent Trust Hub

promptfoo-evaluation

Pass

Audited by Gen Agent Trust Hub on Mar 2, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx promptfoo@latest to download and run the Promptfoo evaluation tool. This is a standard and well-documented method for utilizing the framework.
  • [COMMAND_EXECUTION]: Provides instructions for running CLI commands such as eval, init, and view to manage the evaluation lifecycle.
  • [PROMPT_INJECTION]: Employs prompt templates with variable interpolation (e.g., {{user_input}}, {{task}}), which serves as a potential surface for indirect prompt injection if untrusted data is processed.
  • Ingestion points: Data is ingested from local files specified in tests/cases.yaml and prompt files like prompts/system.md.
  • Boundary markers: The skill uses standard double curly brace {{}} syntax for variable substitution but does not define explicit delimiters or escaping for interpolated content.
  • Capability inventory: The skill is capable of executing CLI commands and local Python scripts defined in the configuration (e.g., scripts/metrics.py).
  • Sanitization: No explicit sanitization or validation logic is provided for the input variables before they are interpolated into the prompts.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 2, 2026, 07:26 PM