royalti-api
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Data Exposure & Exfiltration (LOW): The code snippets demonstrate network requests (GET, POST, PUT, DELETE) to api.royalti.io. This domain is not on the trusted whitelist for exfiltration analysis. Evidence includes usage of fetch, curl, and requests across all reference files.
- Indirect Prompt Injection (LOW): The skill provides logic for handling external data via webhooks and file processing, creating a surface for potential injection. 1. Ingestion points: Webhook receivers (e.g., /webhooks/royalti) and file upload functions. 2. Boundary markers: Absent in the logic. 3. Capability inventory: The skill logic includes network operations (POST/PUT/GET) and file processing. 4. Sanitization: Examples correctly implement HMAC signature verification (X-Royalti-Signature) to authenticate the data source.
Audit Metadata