concierge
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection because it ingests untrusted data from third-party accommodation listing sites (Airbnb, Booking.com, VRBO, Expedia) to inform its AI-driven phone calls and contact extraction.
- Ingestion points: Scraped content from website listings is ingested via agent-browser and processed in src/lib/browser/booking-scraper.ts and src/lib/utils/contact-extractor.ts.
- Boundary markers: The provided codebase does not show explicit usage of boundary markers or instructions to the LLM to ignore instructions embedded within the ingested listing data.
- Capability inventory: The skill possesses significant capabilities, including making outbound phone calls via Twilio (src/lib/call/providers/twilio.ts) and executing system commands (src/lib/browser/agent-browser-client.ts).
- Sanitization: While basic URL cleaning and HTML escaping are performed, the skill lacks specific sanitization for adversarial instructions hidden in scraped content.
- COMMAND_EXECUTION (SAFE): The skill executes external binaries like ffmpeg, ngrok, agent-browser, and goplaces for its core functionality.
- Evidence: spawnSync and spawn calls are used in src/lib/browser/agent-browser-client.ts, src/lib/goplaces.ts, and src/lib/call/audio/streaming-decoder.ts.
- Context: These executions are documented features for browser automation and audio processing, using array-based arguments to avoid shell injection vulnerabilities.
- EXTERNAL_DOWNLOADS (SAFE): The skill relies on external libraries and system-level utilities.
- Evidence: Dependencies in package.json and instructions in README.md to install ffmpeg and ngrok.
- Context: All dependencies are standard, reputable packages or tools necessary for the concierge features.
Audit Metadata