raffle-winner-picker
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Vulnerability Surface. The skill is designed to ingest and process data from external, potentially untrusted sources which could contain malicious instructions disguised as raffle entries. * Ingestion points: Google Sheets (via URL), local files (CSV, XLSX), and user-provided lists. * Boundary markers: Absent. The skill does not define delimiters or instruct the agent to ignore instructions embedded within the spreadsheet data. * Capability inventory: Reading remote URLs, reading local file system, and workflow instructions for exporting results or emailing winners. * Sanitization: Absent. No mention of validating or cleaning input data before processing.
- [NO_CODE] (SAFE): The skill consists only of markdown documentation and usage examples. No scripts, binaries, or automated installation steps are present, eliminating traditional malware or code execution risks.
Audit Metadata