prospect-refresh
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from an external API and uses it to generate outbound communications. An attacker could potentially embed malicious instructions in Apollo-indexed fields (like job titles or company names) to influence the agent's behavior when generating email drafts.\n
- Ingestion points: Untrusted data enters the agent context via the
apollo_mixed_people_api_searchtool, which retrieves prospect names, titles, and organization details from the Apollo platform as described in Stage 2 and Stage 5.\n - Boundary markers: The Gmail draft templates defined in Stage 6 do not use delimiters (such as XML tags or triple quotes) or specific instructions to the model to treat the interpolated prospect data as potentially untrusted or to ignore instructions embedded within it.\n
- Capability inventory: The skill has access to sensitive capabilities including
gmail_create_draftfor email generation andsearch_crm_objectsfor HubSpot CRM interaction, which could be abused if an injection attack is successful.\n - Sanitization: There is no evidence of input validation, escaping, or filtering of the strings retrieved from the external Apollo API before they are interpolated into the email templates.
Audit Metadata