salesforce-debug-bundle
Fail
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The bash script 'salesforce-debug-bundle.sh' executes 'sf org display --target-org my-org --json' and saves the output to a file. This command's JSON output frequently contains sensitive authentication material, including Access Tokens, Refresh Tokens, and Client Secrets. If this bundle is shared externally as suggested for support tickets, it exposes the org to full unauthorized access.
- [CREDENTIALS_UNSAFE]: The skill reads the local '.env' file to include it in the debug bundle. Although it attempts to redact values with 'sed', accessing raw credential files is a high-risk practice as environment files are primary targets for credential theft.
- [DATA_EXFILTRATION]: The skill aggregates Salesforce debug logs and 'EventLogFile' data into an unencrypted archive. These logs often contain Personally Identifiable Information (PII) and sensitive business logic traces.
- [EXTERNAL_DOWNLOADS]: Fetches incident and status data from 'https://api.status.salesforce.com'. This is a well-known service and the operation is used for legitimate diagnostic purposes.
- [COMMAND_EXECUTION]: The skill utilizes multiple shell commands and scripts (sf, curl, tar, sed) to perform environment discovery and data aggregation.
Recommendations
- AI detected serious security threats
Audit Metadata