financekit
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill contains deceptive metadata and references, such as claims of targeting non-existent system versions (iOS 26+) and providing links to unofficial documentation domains. This misleading information can lead to incorrect assumptions about the skill's environment and safety.
- [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection by retrieving untrusted financial transaction data, including merchant names and transaction descriptions. If this data is processed by an AI agent without adequate sanitization or the use of clear boundary markers, it could be used to inject malicious instructions.
- Ingestion points: Data enters the context via FinanceStore.transactions, FinanceStore.transactionHistory, and the TransactionPicker component.
- Boundary markers: The documentation lacks instructions for using delimiters or 'ignore' warnings when handling retrieved strings.
- Capability inventory: The skill code retrieves sensitive data that could be exposed to other tools or network operations if the agent is poorly configured.
- Sanitization: No evidence of sanitization, filtering, or validation of the retrieved transaction strings is provided in the instructions.
- [DATA_EXFILTRATION]: The skill facilitates access to highly sensitive personal financial information, such as Apple Card transaction history, account balances, and credit information. While the framework is designed for on-device use, retrieving this data into an agent's context creates a significant exposure risk if the agent has network capabilities or if the data is handled insecurely.
Audit Metadata