Skills
skills/dedalus-erp-pas/foundation-skills/hpk-parser/Gen Agent Trust Hub

hpk-parser

Pass

Audited by Gen Agent Trust Hub on Mar 20, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill processes untrusted external data in the form of raw HPK messages and interpolates it into the agent's context, creating a surface for indirect prompt injection if malicious instructions are embedded within message fields.
  • Ingestion points: Raw HPK messages as defined in SKILL.md.
  • Boundary markers: Absent; the skill instructions do not specify the use of delimiters or 'ignore' instructions for the data fields.
  • Capability inventory: The skill utilizes the @erp-pas/hpk-dictionary package for parsing logic.
  • Sanitization: Absent; the skill validates data structure and types but does not sanitize field content for embedded instructions.
  • [EXTERNAL_DOWNLOADS]: The skill references an external NPM package and documentation hosted on a vendor-controlled GitLab instance.
  • Source: @erp-pas/hpk-dictionary and https://gitlab-erp-pas.dedalus.lan/erp-pas/hexagone/hpk-dictionary which are associated with the author Dedalus-ERP-PAS.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 20, 2026, 07:58 AM