posthog-pls-transition-leads
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill ingests data from several external and potentially attacker-controlled sources, creating a risk that malicious instructions could influence agent behavior.
- Ingestion points: Salesforce lead details (user-provided), Vitally account notes and conversations (external platform data), and web search results (SKILL.md).
- Boundary markers: Absent. The instructions do not define delimiters or specific 'ignore' directives for processed data.
- Capability inventory: The skill possesses network access for URL validation and read access to sensitive customer billing data via the Vitally MCP (SKILL.md).
- Sanitization: Absent. There is no evidence of logic to validate or escape data ingested from external sources before it is processed.
- [DATA_EXFILTRATION]: Potential for SSRF and Data Exfiltration. Step 7 in the SKILL.md workflow requires the agent to fetch every link in a generated draft to verify resolution. This proactive network request to unverified, dynamically generated URLs could be exploited to perform Server-Side Request Forgery (SSRF) or to exfiltrate contextually sensitive data if a malicious URL is injected into the draft via the indirect prompt injection surface.
Audit Metadata