Skills
skills/gokapso/agent-skills/automate-whatsapp/Gen Agent Trust Hub

automate-whatsapp

Pass

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection by processing untrusted user data within workflow automations.
  • Ingestion points: Workflow nodes like wait_for_response (referenced in references/node-types.md and assets/workflow-linear.json) capture WhatsApp messages into variables such as vars.user_reply.
  • Boundary markers: The provided workflow assets (e.g., assets/workflow-customer-support-intake-agent.json) do not demonstrate the use of delimiters or specific instructions to ignore embedded commands when these variables are interpolated into agent system prompts.
  • Capability inventory: The agent has access to scripts that can update workflow logic (scripts/update-graph.js), deploy arbitrary JavaScript functions (scripts/deploy-function.js), and modify database records (scripts/update-row.js).
  • Sanitization: No explicit sanitization or validation of the user-provided message content is implemented in the provided scripts before it is passed to LLM nodes.
  • [REMOTE_CODE_EXECUTION]: The skill allows the agent to create and deploy JavaScript functions to a remote cloud environment.
  • Evidence: scripts/create-function.js and scripts/update-function.js provide mechanisms to send JavaScript source code to the Kapso Platform API, while scripts/deploy-function.js and scripts/invoke-function.js facilitate its deployment and execution. This allows the agent to manage code that runs on the vendor's infrastructure.
  • [COMMAND_EXECUTION]: The skill consists of a comprehensive suite of CLI scripts that the agent executes to perform platform operations. These scripts use the local environment to interact with the Kapso API via the fetch API.
  • [EXTERNAL_DOWNLOADS]: The skill fetches configuration files from external resources managed by the vendor.
  • Evidence: scripts/openapi-explore.mjs downloads OpenAPI specification files from https://docs.kapso.ai. These references target the official documentation domain of the skill's authoring organization.
  • [DATA_EXFILTRATION]: The skill provides tools that can be used to read sensitive data and transmit it to external endpoints.
  • Evidence: scripts/query-rows.js and scripts/get-table.js allow the agent to read contents from D1 databases. This data can then be sent to external services using webhook nodes or pipedream app integration nodes as described in references/node-types.md.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 11, 2026, 11:30 PM