Skills
skills/jpfielding/claude.pnge/wvges-wells/Gen Agent Trust Hub

wvges-wells

Pass

Audited by Gen Agent Trust Hub on Mar 15, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The Python script in references/python_example.py explicitly disables SSL certificate verification by setting _ssl_ctx.verify_mode = ssl.CERT_NONE, leaving the connection to the government API vulnerable to interception.
  • [COMMAND_EXECUTION]: The documentation in SKILL.md and references/arcgis_rest.md advises the use of insecure flags (-k or --insecure) with curl, which bypasses SSL certificate validation.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the processing of untrusted external data from the WVDEP ArcGIS server.
  • Ingestion points: Data is fetched via API from tagis.dep.wv.gov.
  • Boundary markers: No specific delimiters or instructions (e.g., 'ignore embedded commands') are used to separate external data from the agent's instructions.
  • Capability inventory: The skill uses bash_tool and a Python script for data retrieval and aggregation.
  • Sanitization: There is no evidence of sanitization or filtering of the API responses before they are presented to the agent for narrative summary.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 15, 2026, 06:31 PM