performance-reporting
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection by processing untrusted external data into plain-language reports without sanitization or boundary delimiters.
- Ingestion points: Portfolio performance data and attribution commentary (SKILL.md).
- Boundary markers: Absent; the skill does not use delimiters or 'ignore embedded instructions' warnings.
- Capability inventory: The skill has access to 'Bash', 'Read', 'Write', and 'Edit' tools (SKILL.md).
- Sanitization: The Python script (scripts/performance_reporting.py) performs type casting for numeric values but does not sanitize string inputs used in generated reports.
Audit Metadata