Skills
skills/salesforcecommercecloud/b2c-developer-tooling/b2c-config/Gen Agent Trust Hub

b2c-config

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • Data Exposure (HIGH): The skill documents the use of the b2c setup inspect --unmask command, which explicitly displays passwords, secrets, and API keys that are otherwise redacted. This facilitates the exposure of sensitive authentication data to the agent's output. \n
  • Evidence: Instructions for using --unmask to "Show actual passwords, secrets, and API keys".\n- Sensitive File Access (HIGH): The skill instructs the agent to read and verify configuration from sensitive local paths including dw.json and ~/.mobify. \n
  • Evidence: References to dw.json and ~/.mobify (containing MRT API keys) throughout the documentation.\n- External Downloads (MEDIUM): The skill suggests running the CLI tool via npx @salesforce/b2c-cli. This involves a remote package download and execution. Since the @salesforce organization is not on the predefined list of trusted sources, this is classified as an unverifiable dependency. \n
  • Evidence: Reference to npx @salesforce/b2c-cli as a way to use the tool without global installation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 03:28 PM