ynab
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection because it retrieves financial records from the YNAB API and displays them as JSON for the agent to process. If transaction memos, category names, or payee information contain malicious instructions (e.g., from a synced bank transaction or a shared budget contributor), the agent might inadvertently follow them.
- Ingestion points: Data is ingested from the YNAB API via
list-transactions.js,get-budget.js,list-accounts.js, andlist-categories.js. - Boundary markers: The script outputs raw JSON to the terminal; it does not wrap the output in delimiters or provide explicit 'ignore embedded instructions' warnings for the model.
- Capability inventory: The skill is granted
Bash(node:*)permissions to execute its internal scripts, which perform network operations toapi.ynab.com. - Sanitization: The scripts parse JSON responses from the YNAB API and print them directly to standard output without sanitizing or escaping the string fields before they enter the model's context.
Audit Metadata