solution-architect
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because its core functionality involves processing untrusted data from external sources (e.g., CRM records, support tickets, and meeting transcripts) and interpolating it into LLM prompts via the
client.ai.promptmethod. - Ingestion points include scripts in the
recipes/directory (e.g.,batch-pipeline.ts,cold-outreach-sequence.ts) that fetch 'Contact' and 'Company' data. - Mitigation: The skill employs explicit boundary markers (e.g.,
## Guidelines,## Context) and provides a comprehensive 'GENERATE' guardrails framework inreference/generate.mdto prevent hallucinations and ensure compliance. - [DATA_EXFILTRATION]: The skill facilitates the transmission of potentially sensitive generated content and entity metadata to external service providers and user-defined webhooks.
- Scripts in
recipes/use thefetchAPI to send data to Slack webhooks (process.env.SLACK_WEBHOOK_URL) and generic webhook destinations. - The
reference/wire.mdandchannels/documentation detail how to connect Personize outputs to third-party APIs like SendGrid, Twilio, and Resend. - [COMMAND_EXECUTION]: The skill includes executable TypeScript 'recipes' designed to be run in the local environment. These scripts perform file system operations to maintain state.
- Evidence:
recipes/batch-pipeline.tsandrecipes/health-check-message.tsusefs.readFileSyncandfs.writeFileSyncto manage JSON state files (e.g.,.batch-pipeline-state.json) locally. - [EXTERNAL_DOWNLOADS]: The skill's functionality depends on the vendor-owned
@personize/sdkand several well-known third-party Node.js packages for communication delivery. - Dependencies include
@sendgrid/mail,twilio,resend, and@aws-sdk/client-ses.
Audit Metadata