nba-game-intel
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Data Exposure & Exfiltration (LOW): The skill instructs the agent to make network requests to
site.api.espn.comandcdn.espn.com. These domains are not included in the trusted whitelist of domains for network operations. No access to sensitive local files, credentials, or environment variables was detected. - Indirect Prompt Injection (LOW): The skill processes data from external API endpoints, which presents a surface for indirect prompt injection if the source data is compromised.
- Ingestion points: Data enters the agent context via multiple ESPN API endpoints for scoreboards, summaries, and boxscores.
- Boundary markers: There are no explicit instructions or delimiters in the skill instructions to prevent the agent from following malicious instructions potentially embedded in the API responses.
- Capability inventory: The skill is restricted to read-only network operations and data presentation; it lacks the ability to execute commands, write files, or modify system state.
- Sanitization: No sanitization or validation of the external JSON data is performed before processing.
Audit Metadata