agent-app-store
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill ingests untrusted data through app searches and source code submissions, creating a surface for indirect instructions to influence agent behavior.
- Ingestion points: Untrusted data enters the context via
mcp__flow-nexus__app_searchresults and thesource_codeparameter in themcp__flow-nexus__app_store_publish_apptool. - Boundary markers: Absent. There are no specific delimiters or instructions defined to prevent the agent from following instructions embedded within the application descriptions or source code being processed.
- Capability inventory: The agent has the ability to deploy templates (
mcp__flow-nexus__template_deploy), publish apps, and manage analytics. A malicious app description could potentially trick the agent into misconfiguring a deployment. - Sanitization: No sanitization or validation logic is explicitly defined within the skill instructions for handling the ingested marketplace data.
- Data Exposure (SAFE): The
template_deploytool accepts sensitive variables such asapi_keyanddatabase_url. While this is an intended function for deployment, it involves the agent handling credentials. No hardcoded secrets or unauthorized data access patterns were found.
Audit Metadata