noticed
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill defines workflows for processing untrusted data (e.g., record objects and params) and interpolating it into notification content sent to external services (Slack, Discord, Email). This creates a surface for indirect prompt injection.
- Ingestion points: Untrusted data enters via the
recordandparamsattributes in notifier classes (e.g.,workflows/create-notifier.md). - Boundary markers: No specific boundary markers or instructions to treat data as untrusted are included in the templates.
- Capability inventory: The skill facilitates network operations (HTTP POST via
HTTP.post), database writes, and email delivery. - Sanitization: No sanitization or escaping of notification content is suggested, only basic truncation for length.
- Dynamic Execution (LOW): The workflow for custom delivery methods (
workflows/create-custom-delivery-method.md) usesinstance_execto evaluate configuration Procs at runtime. While standard in Ruby DSLs, it represents a controlled form of dynamic execution. - Data Exposure & Exfiltration (SAFE): The skill consistently recommends using
Rails.application.credentialsfor managing API keys and secrets, preventing hardcoded credentials. - Command Execution (SAFE): All command-line examples use standard Rails and Ruby development tools (e.g.,
rails generate,bundle add,bin/rails runner).
Audit Metadata