r2-transfer-service-playbook
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local shell script (test_r2_worker.sh) and utilizes standard tools like pytest and Cloudflare Wrangler for testing and deployment validation. These actions are transparently documented as part of the intended development workflow.\n- [PROMPT_INJECTION]: The skill processes external data, including email links and R2 URLs in email_processing/orchestrator.py, which represents a potential surface for indirect prompt injection. However, the workflow explicitly mandates domain validation using an allow-list (ALLOWED_R2_DOMAINS) and a validation function (is_allowed_domain) to mitigate risks.\n
- Ingestion points: External URLs and email data in orchestrator.py.\n
- Boundary markers: Not explicitly defined in the provided snippets.\n
- Capability inventory: Subprocess execution for testing and deployment, and file system access for logging and configuration.\n
- Sanitization: Validation of domains against a strictly defined environment-based allow-list.
Audit Metadata