lead-routing
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the lead scoring mechanism.
- Ingestion points: Untrusted external data (such as company name, job title, or behavioral data) is ingested via the
{lead_data}variable in theai_scoringprompt defined inSKILL.md. - Boundary markers: The
scoring_promptdoes not use clear delimiters or boundary markers (e.g., triple quotes, XML tags) to isolate the untrusted{lead_data}from the system instructions, increasing the risk that an attacker could embed malicious instructions in lead data to manipulate the resulting score or routing decision. - Capability inventory: The skill has the capability to modify CRM records (
hubspot_assign_owner,salesforce_route), create tasks, and send Slack notifications based on the output of the AI scoring process. - Sanitization: There is no evidence of input sanitization or filtering to prevent the processing of instructions hidden within the lead data fields.
Audit Metadata