vendor-manager
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill contains no patterns of prompt injection, obfuscation, or malicious command execution. Its operations are limited to processing business information and generating markdown-based reports.
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data (vendor profiles and project details), which is a common surface for indirect prompt injection.
- Ingestion points: User-provided vendor data and project scope definitions processed through the risk management workflow in
references/risk-register.md. - Boundary markers: The instructions do not implement specific delimiters or system-level instructions to ignore embedded commands within the vendor data.
- Capability inventory: The skill utilizes the
mcp__sequential-thinking__sequentialthinkingtool for analytical tasks and performs file-write operations to a local_workspace/directory to organize output. - Sanitization: No explicit data sanitization or validation logic is present, though the impact is limited as the output is primarily descriptive markdown.
Audit Metadata