competitor-tracking
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it is designed to ingest and summarize untrusted data from external sources, specifically app store titles, descriptions, and user reviews.
- Ingestion points: External data enters the agent context via the Appeeky API (e.g.,
api.appeeky.com/v1/apps/:id/reviews). - Boundary markers: The skill does not define specific delimiters or instructions to the agent to disregard potential instructions embedded within the competitive data.
- Capability inventory: The skill provides templates for reporting and includes a Bash script example that utilizes
curlandjqfor data processing. - Sanitization: No explicit sanitization, filtering, or escaping of the fetched external text is mentioned before it is presented to the agent for analysis.
- [COMMAND_EXECUTION]: The skill provides a functional Bash script (
#!/bin/bash) as an example for users to automate data retrieval. The script executes shell commands includingcurlfor network requests andjqfor parsing JSON data. - [EXTERNAL_DOWNLOADS]: The skill's instructions and provided scripts perform network operations to an external API (
api.appeeky.com) to fetch market intelligence data.
Audit Metadata