csm-kb-generation
Warn
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: MEDIUMPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from ServiceNow cases to generate knowledge articles. Malicious instructions could be embedded within case records by customers or agents.
- Ingestion points: The skill reads from the
sn_customerservice_casetable (fields likeshort_description,description,close_notes) and thesys_journal_fieldtable (work notes and comments) inSKILL.md(Steps 2 and 3). - Boundary markers: Absent. The skill does not use specific delimiters or instructions to ignore embedded commands when processing case text.
- Capability inventory: The skill utilizes
SN-Create-Record,SN-Update-Record,SN-Execute-Background-Script, andBashtools. - Sanitization: No sanitization, escaping, or validation of the ingested external content is described.
- [REMOTE_CODE_EXECUTION]: The skill includes the
SN-Execute-Background-Scripttool in its configuration and mentions its use for batch-generating articles in the Tool Usage reference. This tool allows for the execution of arbitrary server-side JavaScript within the ServiceNow environment, which represents a high-risk capability if misused. - [COMMAND_EXECUTION]: The skill lists
Bashas a native tool and provides numerous examples of performing REST operations viacurlinside bash code blocks. This provides the agent with local shell execution capabilities. - [DATA_EXFILTRATION]: The skill accesses sensitive data tables including
sn_customerservice_case,interaction, andcsm_consumer. These tables typically contain Personally Identifiable Information (PII) such as customer names, contact details, and specific issue histories. While necessary for the skill's function, this level of access constitutes a significant data exposure risk.
Audit Metadata