gousto
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill makes network requests to the official Gousto API (
production-api.gousto.co.uk) to retrieve recipe metadata and cooking instructions. These operations are essential for the skill's primary functionality and target a legitimate domain. - [PROMPT_INJECTION]: The skill ingests external data (recipes) which could serve as a vector for indirect prompt injection. However, the implementation includes basic sanitization and uses structured parsing.
- Ingestion points: Recipe text and instructions are fetched from the external Gousto API in
scripts/recipe.shandscripts/update-cache.sh. - Boundary markers: Not present in the script output.
- Capability inventory: The skill's capabilities are limited to network retrieval and JSON parsing; it does not contain code for arbitrary command execution or persistence.
- Sanitization:
scripts/recipe.shusesjqfilters (gsub("<[^>]+>"; "")) to strip HTML tags and normalize entities from cooking instructions before returning them to the agent context.
Audit Metadata