cloud-logging
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
gcloudCLI (via the Bash tool) to retrieve project configuration (gcloud config get-value project) and read logs (gcloud logging read). - Evidence: Step 1 and Step 5 in
SKILL.mddefine these operations. - Mitigations: The skill mandates user confirmation (Step 4) and provides explicit instructions to use single quotes around query filters to prevent accidental command injection from parsed user arguments.
- [DATA_EXFILTRATION]: While the skill accesses potentially sensitive log data, it does so within the scope of its primary purpose (log analysis). It includes an explicit warning to the agent to alert the user if sensitive information like PII or authentication tokens is detected in the results.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from log entries and user-provided search criteria. However, it manages this risk by requiring human-in-the-loop confirmation before command execution and providing clear instructions on query construction.
Audit Metadata