Skills
skills/pluginagentmarketplace/custom-plugin-ai-data-scientist/nlp-processing/Gen Agent Trust Hub

nlp-processing

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection because it is designed to ingest and process untrusted text data. While the preprocessing logic includes cleaning, it lacks explicit boundary markers to prevent embedded instructions from influencing downstream AI components. (1) Ingestion points: preprocess_text in SKILL.md and TextPreprocessor.preprocess in scripts/text_preprocessor.py. (2) Boundary markers: Absent. (3) Capability inventory: The skill does not expose dangerous system calls (like os.system or eval) to the processed data. (4) Sanitization: Robust regex cleaning is provided to remove HTML, URLs, and emails.
  • [EXTERNAL_DOWNLOADS] (LOW): The skill uses transformers and spacy to download pre-trained models. While Hugging Face is a trusted source, the SpaCy model repository is not explicitly whitelisted, resulting in a low-severity finding for external asset acquisition.
  • [DATA_EXFILTRATION] (SAFE): No hardcoded credentials, sensitive file access patterns, or unauthorized network exfiltration attempts were detected.
  • [COMMAND_EXECUTION] (SAFE): All included Python code is limited to data processing and mathematical modeling without invoking shell commands.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:24 PM