square-automation
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of untrusted data from the Square API.
- Ingestion points: Data enters the agent context via
SQUARE_LIST_PAYMENTS,SQUARE_SEARCH_ORDERS, andSQUARE_LIST_INVOICES(SKILL.md). - Boundary markers: The skill does not define boundary markers or include instructions to ignore instructions embedded within the Square data.
- Capability inventory: The skill includes powerful modification tools such as
SQUARE_CANCEL_PAYMENT,SQUARE_UPDATE_ORDER, andSQUARE_CANCEL_INVOICE(SKILL.md). - Sanitization: No sanitization or validation steps are defined for the data retrieved from Square before it is used to drive agent actions.
- [EXTERNAL_DOWNLOADS]: The skill relies on an external MCP server endpoint (
https://rube.app/mcp) for its core functionality. While this is the intended design of the skill, it introduces a dependency on third-party infrastructure for tool definitions and execution logic.
Audit Metadata