lead-generation
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
mcporterpackage from the NPM registry. This utility is used to facilitate communication with the Xpoz service for lead generation tasks. - [COMMAND_EXECUTION]: The skill invokes the
mcporterbinary to interact with the Xpoz API, specifically for fetching social media posts and checking account status. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because it incorporates untrusted data from external sources into its workflow. Specifically, it fetches content from user-supplied URLs and retrieves social media posts from Twitter and Reddit. If these external sources contain malicious instructions, they could potentially influence the agent's behavior when generating search queries or outreach drafts.
- Ingestion points: Data is ingested from the
product_urlusing theweb_fetchcapability and from social media platforms viamcportercalls. - Boundary markers: The skill does not define specific delimiters or instructions to ignore embedded commands within the ingested content.
- Capability inventory: The agent has the ability to execute the
mcportertool and write to local data files in thedata/lead-generation/directory. - Sanitization: There is no evidence of sanitization or filtering applied to the external content before it is processed by the agent.
Audit Metadata