pipeline-review
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill attempts to read a Pipedrive API token from a local file at
~/.config/pipedrive/api_key. This is a sensitive credential access operation. - [COMMAND_EXECUTION]: The workflow executes several local scripts, including
fetch_pipeline_data.sh,analyze_pipeline.py, andshould_run_review.sh. These scripts handle data retrieval, complex analysis, and state persistence. - [DATA_EXFILTRATION]: Sales data retrieved from Pipedrive is transmitted to a hardcoded Notion database ID (
6def2319-67ef-46a9-b03f-92e3532dd3b0). This constitutes an external data transfer across service boundaries. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from the Pipedrive CRM (such as deal titles and organization names) and incorporates it into instructions for the LLM to generate narrative reviews.
- Ingestion points: Data enters the system via Pipedrive API calls in
fetch_pipeline_data.shand is passed toanalyze_pipeline.pyvia temporary JSON files. - Boundary markers: There are no explicit boundary markers or system instructions to ignore potential commands embedded within the CRM data fields.
- Capability inventory: The skill can execute local scripts and write data to external web services (Notion).
- Sanitization: The analysis script and prompt instructions do not perform sanitization or escaping of the ingested CRM data before it is used for narrative generation.
Audit Metadata