Skills
skills/guia-matthieu/clawfu-skills/funnel-analyzer/Gen Agent Trust Hub

funnel-analyzer

Pass

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: LOWPROMPT_INJECTION
Full Analysis
  • [Indirect Prompt Injection] (LOW): The skill processes external CSV files (data.csv, funnel.csv) and interpolates values directly into terminal output and HTML files. While primarily an analytics tool, the ingestion of untrusted external content into the agent's context creates a potential surface for indirect prompt injection if the CSV contains malicious instructions instead of data.
  • Ingestion points: scripts/main.py reads file content using csv.DictReader in analyze and dropoff commands.
  • Boundary markers: Absent. Data is read and processed directly without delimiters or system-level warnings to the agent.
  • Capability inventory: The skill has file-write capabilities (Path(output).write_text(html)) and can execute local analysis logic. It does not have network access or arbitrary command execution.
  • Sanitization: None detected. The script directly uses dictionary keys and values from the CSV for display and HTML generation.
  • [Command Execution] (LOW): The visualize command allows writing HTML files to arbitrary local paths provided by the user via the --output flag. This is a standard feature but could be used to overwrite existing local files if the agent is misled by malicious input data.
Audit Metadata
Risk Level
LOW
Analyzed
Feb 16, 2026, 08:43 AM