ecommerce-ppc-strategy-planner
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's installation instructions utilize
npxto fetch and add the skill from the vendor's GitHub repository atnexscope-ai/eCommerce-Skills. This is a standard procedure for the distribution of skills by this author. - [REMOTE_CODE_EXECUTION]: The installation command
npx skills add nexscope-ai/eCommerce-Skillsinvolves executing code from a remote source to install the skill functionality. As this targets the vendor's own infrastructure, it is a functional requirement of the installation process. - [PROMPT_INJECTION]: The skill is designed to parse and process user-provided product information, which creates a surface for indirect prompt injection where malicious instructions could be embedded in the input data.
- Ingestion points: Product type, price, margins, and descriptions are parsed from user prompts in
SKILL.md. - Boundary markers: The instructions do not define specific delimiters or boundary markers to wrap untrusted user data when processing.
- Capability inventory: The skill generates campaign briefs, ad copy, and creative direction based on input data. It does not perform active file-system writes or network operations during its execution workflow in
SKILL.md. - Sanitization: No explicit sanitization or input validation logic is described in the skill's operational steps.
Audit Metadata