sf-ai-agentforce-persona
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection because it is designed to ingest and process untrusted external data.
- Ingestion points: Step 1 in
SKILL.mdidentifies brand guide PDFs, organization URLs, and external text descriptions as accepted inputs. - Boundary markers: The skill does not implement delimiters or explicit instructions to disregard embedded commands when reading external input.
- Capability inventory: The skill utilizes
Read,Write,Glob, andGreptools to search for and extract persona signals, which could be influenced by injected instructions. - Sanitization: There are no mechanisms described for sanitizing or validating the content extracted from external brand documents or URLs.
- [SAFE]: No malicious scripts, hardcoded credentials, or unauthorized network communication patterns were detected. The skill's tool use is restricted to local file operations and user interaction, and its behavior remains consistent with its primary purpose of persona design.
Audit Metadata