pluggy-payments
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWNO_CODE
Full Analysis
- Prompt Injection (SAFE): No instructions attempting to bypass safety protocols or override the agent's core instructions were found in the markdown files or metadata.
- Data Exposure & Exfiltration (SAFE): No hardcoded credentials or unauthorized data transmission patterns were detected. Examples utilize environment variable placeholders (e.g., PLUGGY_PROD_SECRET) and standard sandbox test credentials.
- Obfuscation (SAFE): All content is in plain text. No Base64 encoding, zero-width characters, or homoglyphs were used to hide malicious intent.
- Unverifiable Dependencies & Remote Code Execution (SAFE): The skill does not include a package manager configuration or any logic to download and execute remote scripts.
- Indirect Prompt Injection (LOW): The skill describes how to handle untrusted data from external sources, specifically payment webhooks. While this is an ingestion surface, the risk is inherent to the functionality described, and the skill provides appropriate guidance on status tracking and validation.
Audit Metadata