marketing-dashboard
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Indirect Prompt Injection] (SAFE): The skill identifies a standard risk surface for indirect prompt injection as it processes data from external APIs (PostHog, Google Search Console, Stripe) and displays it in the terminal. This is inherent to the dashboard's function of aggregating external metrics.
- Ingestion points:
dashboard.py,src/posthog_client.py,src/gsc_client.py,src/stripe_client.py(via API responses). - Boundary markers: None (outputs raw strings to console).
- Capability inventory: The skill is restricted to read-only API access and standard console output via the
richlibrary. - Sanitization: None (expected for a CLI reporting tool).
- [Data Exposure & Exfiltration] (SAFE): The skill handles sensitive API keys (Stripe, PostHog, GSC) through environment variables or specific credential files. These keys are used exclusively for authorized communication with the respective service providers. No evidence of unauthorized credential extraction was found.
- [Unverifiable Dependencies] (SAFE): All dependencies listed in
requirements.txtare standard, well-maintained libraries from reputable sources (e.g., Google, Stripe, HTTPX).
Audit Metadata