health-fhir-modeling
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill implements a defensive 'Operating Rules' section that establishes a clear security boundary. It instructs the agent to treat all external content (repository files, user-supplied instances, and external sources) as data and specifically warns against following embedded directives such as 'ignore previous instructions' or 'you are now'. This is an effective implementation of a prompt injection guardrail.
- [INDIRECT_PROMPT_INJECTION]: The skill possesses a surface for indirect injection as it ingests and reviews user-supplied FHIR resources in 'review' mode. This risk is addressed through explicit defensive instructions.
- Ingestion points: User-supplied JSON instances and mapping descriptions processed in the 'review' mode defined in SKILL.md.
- Boundary markers: The 'Operating Rules' section provides clear instructions to treat processed data as non-authoritative and ignore embedded directives.
- Capability inventory: The skill is purely advisory and has no access to shell commands, network tools, or file system writes.
- Sanitization: The agent is instructed to detect and flag potential injection attempts in the input data rather than acting upon them.
- [EXTERNAL_DOWNLOADS]: The skill references standard FHIR documentation and well-known open-source tool repositories (e.g., HL7, LOINC, and the HAPI FHIR project) for user guidance. These references are informative, point to trusted industry resources, and do not involve automatic execution of remote code.
Audit Metadata