cardtrader-api
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection because it ingests and processes data from external and user-provided sources.
- Ingestion points: Data enters the agent context through API responses from
api.cardtrader.com(such as product descriptions inGET /marketplace/products) and via user-provided CSV files in thePOST /product_importsoperation. - Boundary markers: There are no specified delimiters or instructions for the agent to ignore potentially malicious instructions embedded within the ingested data.
- Capability inventory: The skill allows for significant state changes, including creating, updating, and deleting marketplace products, as well as managing shopping carts and purchases.
- Sanitization: No sanitization, validation, or escaping of the content within the ingested marketplace data or CSV files is mentioned or implemented.
Audit Metadata