kpi-bot
Fail
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs the agent to retrieve an API key and Slack bot token from a local file named 'email-pipeline.md'. This exposes sensitive credentials stored on the local filesystem.
- [DATA_EXFILTRATION]: The skill directs the agent to read credentials from a local file and utilize them to make authenticated network requests to external services, including 'n8n.cloud' and 'slack.com'.
- [REMOTE_CODE_EXECUTION]: The skill involves generating JavaScript code to be included in an n8n workflow. This code is sent via API and executed on the n8n automation platform, representing a remote code execution vector through dynamic script generation.
- [COMMAND_EXECUTION]: The skill instructs the agent to generate and execute SQL queries against a Databricks database ('leland_analytics.ai') based on natural language descriptions provided in user arguments.
- [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface by ingesting data from an external database and formatting it for delivery to a Slack channel without implementing sanitization or boundary markers.
- Ingestion points: SQL query results from Databricks tables (bookings, coachmetricsviews, etc.)
- Boundary markers: Absent; database content is directly formatted into Slack mrkdwn blocks.
- Capability inventory: SQL execution via 'run_sql', n8n workflow creation (POST), and Slack message delivery (POST).
- Sanitization: Absent; no escaping or validation of external database content is specified before it is sent to Slack.
Recommendations
- AI detected serious security threats
Audit Metadata