cap-apps-toolkit
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documents the installation and usage of the
@domoinc/toolkitlibrary from the npm registry. - [COMMAND_EXECUTION]: The toolkit provides capabilities to execute arbitrary SQL queries against datasets via
SqlClientand trigger serverless function execution through theCodeEngineClient. This allows for potentially dangerous operations if queries or function calls are constructed from unvalidated user input. - [DATA_EXFILTRATION]: The skill enables broad access to sensitive organizational metadata, including identity details, user profiles, and group memberships via
IdentityClientandUserClient. It also provides methods for file management and downloads through theFileClient. - [PROMPT_INJECTION]: The skill's design involves ingesting data from external sources that could be leveraged for indirect prompt injection attacks.
- Ingestion points: Untrusted data enters the agent's context from
AppDBClient.get,SqlClient.get, andUserClient.get(SKILL.md). - Boundary markers: The provided implementation examples do not include delimiters or instructions to ignore embedded commands when processing external data.
- Capability inventory: The agent has the ability to execute SQL, start serverless functions, and perform document CRUD operations (SKILL.md).
- Sanitization: No data sanitization or input validation logic is presented for handling retrieved data before it is processed by the AI or passed to further system calls.
Audit Metadata