gamma-debug-bundle
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The
debug/check-env.tsscript prints the first eight characters of theGAMMA_API_KEYto the console. While it's a partial key, exposing secrets in logs is a potential security risk.\n- [DATA_EXFILTRATION]: The skill implements interceptors indebug/gamma-debug.tsto capture fullrequestBodyandresponseBodyof API calls, which are then saved togamma-debug-bundle.json. This may inadvertently capture PII or session tokens contained in the payloads.\n- [COMMAND_EXECUTION]: The skill utilizes theBash(node:*)tool to run diagnostic scripts, granting it broad execution capabilities on the host environment for troubleshooting tasks.\n- [PROMPT_INJECTION]: The diagnostic script indebug/diagnose.tsingests and logs data directly from the Gamma API without sanitization, presenting an indirect prompt injection surface.\n - Ingestion points:
gamma.presentations.listandgamma.presentations.createindebug/diagnose.ts.\n - Boundary markers: Not utilized in log formatting.\n
- Capability inventory:
Bash(node:*),Write,Edit,Read,Grep.\n - Sanitization: None; API response data is logged verbatim.
Audit Metadata