fakturoid
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION] (SAFE): All scripts are designed to perform specific API operations using the Python standard library. No arbitrary command execution or shell injection surfaces were identified.
- [DATA_EXFILTRATION] (SAFE): Network communication is exclusively directed to the official Fakturoid API domain (app.fakturoid.cz). The skill handles sensitive OAuth tokens locally and implements secure file permissions to prevent unauthorized access.
- [CREDENTIALS_UNSAFE] (SAFE): No hardcoded API keys, secrets, or credentials were found in the scripts or documentation. Authentication relies on user-provided environment variables or local token files.
- [EXTERNAL_DOWNLOADS] (SAFE): The skill does not perform any external package installations or remote script executions. It uses standard library imports, ensuring all logic is contained within the provided scripts.
- [Indirect Prompt Injection] (LOW): As an API integration, the skill processes external data from Fakturoid (e.g., subject names, invoice notes). While this is a common surface for indirect injection, the scripts primarily output structured JSON for the agent to consume, presenting no immediate risk beyond the inherent data-handling nature of the tool.
Audit Metadata