nfl-data
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions provide steps to install the
sports-skillspackage from PyPI or directly from the author's GitHub repository (github.com/machina-sports/sports-skills.git). These are standard dependencies provided by the skill author for its intended functionality. - [COMMAND_EXECUTION]: The skill performs shell execution to run the
sports-skillsCLI tool for data retrieval and a local scriptscripts/validate_params.shfor parameter checking. These actions are limited to the skill's stated purpose. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface due to its data processing model. 1. Ingestion points: Live NFL data, news articles, and game summaries are fetched from external ESPN public API endpoints via the
sports-skillstool. 2. Boundary markers: No delimiters or specific instructions are defined in the skill to isolate fetched data from the agent's control logic. 3. Capability inventory: The skill has the capability to execute CLI commands and a local bash script. 4. Sanitization: No explicit sanitization or validation of the content retrieved from ESPN is implemented in the skill's configuration.
Audit Metadata