personalization
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill architecture handles untrusted external data (customer interactions, CRM records), creating a surface for indirect prompt injection. This is mitigated through a robust 'Governance Layer' and specific architectural guardrails:
- Ingestion points: Data is ingested through the
@personize/sdkvia methods likememorizeBatch()inrecipes/batch-pipeline.ts. - Boundary markers: The generation logic in
reference/generate.mdandrecipes/generate-with-guardrails.tsuses structured context assembly with clear delimiters (e.g.,## Recipient Context) and explicitly callssmartGuidelines()to enforce organizational constraints over ingested data. - Capability inventory: Actions are limited to SDK operations and delivery via authorized third-party APIs (SendGrid, Slack, Twilio).
- Sanitization: The skill provides automated post-generation checks (e.g.,
checkForHallucinationinrecipes/generate-with-guardrails.ts) and uses the SDK'sevaluate: trueparameter to validate output against safety and accuracy criteria. - [DATA_EXFILTRATION]: The skill requires the use of a
PERSONIZE_SECRET_KEYand handles customer data. All network operations are directed to the vendor's official domain (personize.ai) or user-configured delivery endpoints (e.g., Slack webhooks, SendGrid). These operations are standard for the skill's primary purpose and do not represent unauthorized exfiltration. - [EXTERNAL_DOWNLOADS]: The skill references standard, well-known libraries such as
@sendgrid/mail,@slack/web-api, andtwilio. These dependencies are part of the intended integration surface for message delivery and originate from trusted registries.
Audit Metadata