performance-analytics
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface.
- Ingestion points: Untrusted data can enter the agent context through parameters used to create indicators, specifically the 'conditions' and 'formula' fields in the 'snow_create_pa_indicator' tool.
- Boundary markers: There are no boundary markers or instructions to ignore embedded instructions within the provided examples.
- Capability inventory: The skill can create, modify, and query critical ServiceNow tables (pa_indicators, pa_breakdowns, pa_dashboards), which directly affects business reporting and visibility.
- Sanitization: No input validation or escaping is shown for strings used in ServiceNow queries or Performance Analytics formulas, allowing potentially malicious instructions in data to influence the agent's output.
- [DATA_EXFILTRATION]: Potential Data Exposure. The skill includes code to set dashboards to public (dashboard.setValue('public', true)), which can expose sensitive organizational KPIs to unauthenticated users if appropriate platform-level controls are not in place.
Audit Metadata