context-building
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection through its data ingestion modes.
- Ingestion points: In
SKILL.md, Mode 3 (Call Recording Capture) ingests pasted transcripts or meeting notes, and Mode 4 (Feedback Loop) processes campaign results from CSVs or external email sequencers like Instantly. - Boundary markers: The skill instructions do not specify the use of delimiters or explicit 'ignore embedded instruction' warnings when processing these external data sources.
- Capability inventory: The skill is capable of performing file read and write operations to the local file system (specifically the
claude-code-gtm/context/directory) and performing external searches via vendor tools. - Sanitization: No sanitization, validation, or filtering of the ingested external text is described before the content is extracted and written to the global context file.
- [COMMAND_EXECUTION]: The skill performs file system operations using dynamic paths based on user-provided variables.
- Evidence: The skill reads and writes to
claude-code-gtm/context/{company}_context.md. This presents a potential risk of path traversal if the{company}variable is not properly sanitized or validated by the agent implementation before file access. - [EXTERNAL_DOWNLOADS]: The skill integrates with vendor-specific external services for data enrichment.
- Evidence: The 'Do Not Contact' section in
SKILL.mdmentions running an 'Extruct search' to identify competitors. This is a vendor-owned resource (extruct-ai) used for intended functionality and does not represent an unauthorized network operation.
Audit Metadata