pokemon-data-fetcher
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (LOW): The skill makes outbound network requests to
pokeapi.co. While this domain is not on the trusted whitelist, the activity is transparently documented and aligned with the skill's primary function of fetching Pokemon data. - [Indirect Prompt Injection] (LOW): The skill ingests untrusted data from an external API which is then saved locally. This creates a potential surface for indirect prompt injection if the API content were compromised.
- Ingestion points: Data is fetched from
pokeapi.covia theurllibmodule. - Boundary markers: The documentation does not specify the use of delimiters or 'ignore' instructions for the fetched content.
- Capability inventory: The skill performs file-write operations (
pokemon_by_generation.json) and network read operations. - Sanitization: There is no mention of sanitizing or validating the API response before storage.
Audit Metadata