review-demos
Warn
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill initiates its workflow by reading and sourcing a local
.envfile to retrieve sensitive API tokens for the CRM and InboxMate services. While essential for its operation, this pattern involves direct access to local credentials. - [COMMAND_EXECUTION]: Extensive use of
curlcommands to perform POST requests to GraphQL endpoints and internal APIs (crm.psquared.dev,app.psquared.dev). These commands utilize the sensitive tokens retrieved from the environment. - [EXTERNAL_DOWNLOADS]: The skill uses
WebFetchto ingest content from arbitrary external company websites and the OpenBrand API to extract branding data. This data is then used to drive decision-making and automated fixes. - [PROMPT_INJECTION]: There is a significant risk of indirect prompt injection. The skill processes untrusted data from external websites and CRM notes (e.g., to determine deadlines or offer text) and interpolates this data directly into prompts and subsequent tool calls.
- Ingestion points: CRM opportunity notes (STEP 2e), Company website content (STEP 2b), and OpenBrand API responses (STEP 2b2).
- Boundary markers: None identified. There are no instructions to ignore embedded commands within the fetched content.
- Capability inventory: Subprocess execution via
curl, and SQL execution via the Supabase MCP tool. - Sanitization: No sanitization or validation logic is defined before using external strings in SQL queries or API payloads.
- [DYNAMIC_EXECUTION]: In
STEP 2e, the skill dynamically constructs a SQLUPDATEquery for a Supabase database usingoffer_textandoffer_expires_atvalues derived from untrusted external sources. This lack of parameterized input or strict validation creates a vulnerability to SQL injection via the indirect prompt injection vector.
Audit Metadata