voice-of-customer-synthesizer
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core function involves processing untrusted, attacker-controllable data from external sources.
- Ingestion points: The skill explicitly instructs the agent to read and process data from public review platforms (G2, Capterra, Trustpilot), social media threads (Reddit, Twitter/X), and customer communication channels (Slack, Email).
- Boundary markers: There are no defined delimiters or instructions provided to the agent to treat external feedback as untrusted data, increasing the risk that embedded malicious commands will be executed by the LLM.
- Capability inventory: The skill possesses the ability to read internal CSV files, execute scraper tools (review-scraper, twitter-scraper), and write files to the local filesystem (VoC reports).
- Sanitization: No sanitization or filtering steps are mentioned for handling processed text before it is passed into the analysis phase.
- [COMMAND_EXECUTION]: The skill documentation references shell commands and system persistence mechanisms.
- Evidence: The 'Scheduling' section provides a crontab string (
0 8 1 */3 * python3 run_skill.py ...) to automate the skill. While intended for user automation, an agent might attempt to modify the system's cron configuration if instructed to 'setup' or 'automate' this skill. - Evidence: The metadata defines an installation command using 'npx', which executes code fetched from the NPM registry.
Audit Metadata