b2c-custom-objects
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: LOW
Full Analysis
- PROMPT_INJECTION (SAFE): No instructions attempting to override agent behavior or bypass safety filters were found in the skill metadata or body.
- DATA_EXPOSURE & EXFILTRATION (SAFE): The skill contains example HTTP requests for Salesforce APIs (OCAPI/SCAPI) using standard placeholder tokens like '{token}' and '{shopper_token}'. No hardcoded credentials or access to sensitive system files were detected. Network operations are limited to well-documented platform API endpoints.
- OBFUSCATION (SAFE): All content is in clear text. No Base64, zero-width characters, or other encoding techniques are used to hide malicious intent.
- UNVERIFIABLE DEPENDENCIES & RCE (SAFE): The skill uses platform-specific 'require' statements (e.g., 'dw/object/CustomObjectMgr') which are standard for the Salesforce B2C Commerce environment. No external package installations (npm/pip) or remote script executions (curl|bash) are present.
- PRIVILEGE ESCALATION (SAFE): The skill does not request administrative privileges or use commands like 'sudo'. It operates within the standard permission model of the Salesforce Commerce Cloud Script API.
- PERSISTENCE MECHANISMS (SAFE): No attempts to modify shell profiles, cron jobs, or startup services were found.
- INDIRECT PROMPT INJECTION (SAFE): While the skill describes processing data from custom objects, it provides standard developer guidance and does not involve uncontrolled interpolation of untrusted external content into agent instructions.
Audit Metadata