AI CFO
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFE
Full Analysis
- Prompt Injection (SAFE): No evidence of instructions attempting to bypass safety filters or override agent behavior.
- Data Exposure & Exfiltration (SAFE): While the skill handles sensitive financial data, it only communicates with the official Mercury (
api.mercury.com) and Stripe (api.stripe.com) endpoints. Credentials are managed via environment variables and no hardcoded secrets were found. - Obfuscation (SAFE): No Base64, zero-width characters, or other encoding techniques were used to hide code or instructions.
- Unverifiable Dependencies & RCE (SAFE): The provided scripts use the Python standard library (
urllib,sqlite3,json). There are no installations of untrusted packages or remote code execution patterns. - Privilege Escalation (SAFE): The skill does not attempt to acquire root/admin privileges or modify system-level configurations.
- Persistence Mechanisms (SAFE): The documentation suggests a standard cron job for automation, which is a transparent and user-directed action for the skill's primary purpose.
- Indirect Prompt Injection (LOW): The skill ingests transaction descriptions from external APIs (Mercury/Stripe) and mentions AI categorization in the documentation.
- Ingestion points: Mercury and Stripe transaction history retrieved in
scripts/cfo_cron.py. - Boundary markers: Not explicitly defined in the provided snippets (logic resides in the missing
scripts/ai_cfo.py). - Capability inventory: File system write (SQLite), network GET (Stripe/Mercury).
- Sanitization: No explicit sanitization of transaction strings before they are processed.
Audit Metadata