freee-api-skill
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of processing external data and executing state-changing tool calls.
- Ingestion points: Data enters the agent's context from multiple external freee API endpoints (e.g., accounting transactions, employee records, invoices, and project workloads) via the
freee_api_gettool, as documented across all reference and recipe files. - Boundary markers: The instructions do not define strict delimiters or include warnings for the agent to treat data returned from the freee API as untrusted content, increasing the risk that embedded instructions could be obeyed.
- Capability inventory: The skill grants the agent extensive capabilities to modify or delete data using tools like
freee_api_post,freee_api_put,freee_api_delete, andfreee_file_upload. This creates a path for an attacker who can influence data within a freee account to potentially manipulate the agent into performing unauthorized actions. - Sanitization: There is no evidence of sanitization, filtering, or schema validation mentioned in the instructions to protect against malicious payloads within the API response data.
Audit Metadata