build-tcg-deck
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: No evidence of prompt injection or behavior override instructions. The language used is purely instructional for the intended TCG deck-building task.
- [DATA_EXPOSURE]: No hardcoded credentials, API keys, or access to sensitive file paths were detected. The skill does not attempt to access private system data.
- [REMOTE_CODE_EXECUTION]: The skill does not include any commands to download, execute, or interpret remote code or scripts.
- [OBFUSCATION]: No obfuscated text, encoded strings, or hidden content (such as zero-width characters) were found in the file.
- [INDIRECT_PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it ingests external meta-game data via
WebSearchandWebFetchtools. However, the risk is negligible because the skill lacks the capability to perform dangerous actions (like file modification or command execution) based on the ingested data. - Ingestion points:
WebSearchandWebFetchare used in Step 4 to retrieve tournament results and tier lists from external websites. - Boundary markers: None identified.
- Capability inventory: The skill is limited to natural language processing and deck list generation; it has no access to subprocesses,
eval(), or file-system write operations. - Sanitization: None identified, but the structured procedure naturally constrains the model's focus to card-game data.
Audit Metadata