sf-omnistudio-analyze
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for the agent to execute multiple Salesforce CLI (
sf) commands. These includesf data queryfor retrieving component metadata andsf api requestfor performing REST API operations, which involves executing shell commands to interact with the connected Salesforce organization. - [EXTERNAL_DOWNLOADS]: The documentation suggests the installation of additional skills from a specific GitHub repository (
github:Jaganpro/sf-skills/). These references point to resources from the same vendor/author associated with the skill. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and parsing component metadata directly from Salesforce objects.
- Ingestion points: Metadata is retrieved from the
PropertySetConfigandDataSourceConfigfields ofOmniProcess,OmniUiCard, andOmniDataTransformrecords. - Boundary markers: The instructions do not define clear delimiters or use "ignore instructions" warnings when handling the content of these metadata fields.
- Capability inventory: The agent has the capability to execute shell commands (
sfCLI) and perform API writes, creating a path for potential exploitation if malicious instructions are embedded in the org metadata. - Sanitization: No specific sanitization or filtering logic is prescribed for the JSON data retrieved from the org before the agent processes it for analysis and reporting.
Audit Metadata