check-demo-analytics
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses curl to perform GraphQL queries against external APIs for both analytics and CRM data retrieval.\n- [EXTERNAL_DOWNLOADS]: Data is retrieved from crm.psquared.dev and a user-specified Ackee domain. These destinations are consistent with the infrastructure of the skill author.\n- [DATA_EXFILTRATION]: The skill reads authentication tokens from the local .env file. This is performed for legitimate configuration purposes to access the required APIs.\n- [PROMPT_INJECTION]: The skill ingests data from external sources (Ackee and CRM) to generate reports, which represents an indirect prompt injection surface.\n
- Ingestion points: Ackee statistics and CRM opportunity nodes retrieved in SKILL.md.\n
- Boundary markers: None present in the skill instructions.\n
- Capability inventory: Network access and shell command execution via curl.\n
- Sanitization: No explicit validation or sanitization of the API responses is defined.
Audit Metadata