lead-enrichment
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core function of fetching and processing data from external, untrusted sources.
- Ingestion points: The skill ingests data from LinkedIn profiles (via
linkedin-scraper), company websites (viaweb_fetch), and search engine snippets (viaweb_search). - Boundary markers: There are no explicit instructions or delimiters used to ensure the agent ignores potentially malicious instructions embedded in the fetched web content (e.g., in a LinkedIn 'About' section or HTML comments).
- Capability inventory: The skill utilizes SQL
UPDATEcommands to modify records in thev_leadstable based on the fetched data. - Sanitization: The instructions do not define any sanitization, validation, or filtering of the external data before it is used to update the CRM database.
- [DATA_EXFILTRATION]: The skill exposes internal CRM data to external entities as part of its enrichment workflow.
- Exposure surface: To perform enrichment, the skill sends contact details (Names, Job Titles, Company Names) to third-party search engines and social platforms.
- Context: While this behavior is necessary for the skill's primary purpose of lead enrichment, it constitutes a deliberate exposure of PII to external domains.
Audit Metadata