invoice-generation-automation
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The evaluation criteria for the PDF rendering service (evals/pdf-rendering-with-puppeteer-and-handleb/criteria.json) requires Puppeteer to be launched with '--no-sandbox' and '--disable-setuid-sandbox'. Disabling the browser sandbox is a significant security downgrade that allows a potentially compromised browser process to escape isolation and access the host system.
- [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface in its PDF generation task (evals/pdf-rendering-with-puppeteer-and-handleb/task.md). Untrusted invoice data is processed through Handlebars and rendered via Puppeteer without explicit requirements for sanitization.
- Ingestion points: Invoice payload data (customer names, addresses, line items) entering the renderer in 'src/pdf-renderer.js'.
- Boundary markers: Absent; the instructions do not specify delimiters or warnings to ignore instructions within the data.
- Capability inventory: The Puppeteer renderer has the capability to perform network requests (SSRF) and potentially access the file system if the injected HTML is malicious, especially given the 'networkidle0' wait requirement.
- Sanitization: Absent; the criteria do not mandate HTML escaping or data validation before rendering.
Audit Metadata