pluggy-integration
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The skill explicitly instructs developers to keep sensitive credentials like
clientSecreton the backend and provides secure patterns using environment variables (process.env). It distinguishes between backend API Keys and frontend Connect Tokens to prevent credential leakage. - [External Downloads] (SAFE): The skill references legitimate dependencies (
pluggy-sdkandreact-pluggy-connect) necessary for the described integration. No suspicious remote scripts or piped-to-shell execution patterns were found. - [Prompt Injection] (SAFE): The instructions are educational and functional, with no attempts to override system prompts, bypass safety filters, or extract sensitive internal configurations.
- [Obfuscation] (SAFE): The content is clear and readable. No zero-width characters, homoglyphs, or multi-layer encoding (such as Base64) were used to hide malicious intent.
- [Indirect Prompt Injection] (LOW): The skill describes handling external data via webhooks, which is a common attack surface. However, the provided examples follow standard implementation patterns for financial data synchronization and do not exhibit exploitable vulnerabilities in this context.
Audit Metadata