sf-ai-agentforce-persona
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill's operations are limited to reading user-provided design inputs and writing markdown files to a local generated directory (_local/generated/). No evidence of data exfiltration, hardcoded credentials, or malicious command execution was found.
- [PROMPT_INJECTION]: The skill includes functionality to ingest and parse untrusted data from organization URLs and brand documents to automate persona generation, presenting a surface for indirect prompt injection. \n
- Ingestion points: User-provided URLs, brand guide PDFs, and text descriptions (SKILL.md). \n
- Boundary markers: Not explicitly implemented; instructions do not specify the use of delimiters for external content. \n
- Capability inventory: The skill has access to Read, Write, Glob, and Grep tools for file management. \n
- Sanitization: External content is mined for signal extraction but is not explicitly sanitized for injection patterns.
Audit Metadata