nhl-data
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's setup instructions in
SKILL.mdprompt the user or agent to install an external Python package namedsports-skillsvia pip if it is not already available in the environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data ingestion capabilities.
- Ingestion points: The
get_newscommand fetches headlines and descriptions from external NHL news feeds. - Boundary markers: The instructions do not define any delimiters or provide warnings to the agent to ignore instructions embedded within the fetched news content.
- Capability inventory: The skill has the ability to execute shell commands via the
sports-skillsCLI tool. - Sanitization: There is no evidence of sanitization, escaping, or validation performed on the news article content before it is presented to the agent's context.
Audit Metadata