churn-risk-detector
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data from support tickets, Slack messages, and NPS comments, making it vulnerable to Indirect Prompt Injection where malicious actors could manipulate risk assessments.
- Ingestion points:
SKILL.mdidentifies support tickets, Slack channels, and NPS results as primary inputs. - Boundary markers: Absent. There are no instructions for the agent to use delimiters or ignore instructions embedded within the processed data.
- Capability inventory: The skill performs file system operations (reading source data and writing markdown reports).
- Sanitization: Absent. The instructions do not specify filtering or escaping of external content.
- [COMMAND_EXECUTION]: The skill documentation includes shell commands for local execution and scheduling.
- Evidence:
SKILL.mdsuggests a cron job execution pattern:python3 run_skill.py churn-risk-detector --client <client-name>. - [DATA_EXFILTRATION]: The skill requests access to highly sensitive business data which increases the risk of accidental exposure or targeted exfiltration if compromised.
- Evidence: The 'Intake' section in
SKILL.mdexplicitly asks for customer lists (with MRR/ARR), billing data (payment failures), and full communication logs (Slack/Email).
Audit Metadata