tenders-finder
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it processes data from external tender portals. \n
- Ingestion points: Data is scraped from portals like GeBIZ and Bid Detail via tinyfish agents and stored in temporary files in
SKILL.md. \n - Boundary markers: The instructions do not use delimiters or explicit warnings to separate external tender data from the agent's sorting and formatting instructions. \n
- Capability inventory: The skill uses bash for script orchestration and the tinyfish tool for browser-based data extraction. \n
- Sanitization: No sanitization or validation is applied to the scraped content before it is processed by the agent. \n- [COMMAND_EXECUTION]: The skill uses bash to run parallel data retrieval agents and manage the results. These commands are necessary for the skill's functionality and do not exhibit signs of malicious intent or privilege escalation. \n- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the tinyfish CLI tool from the npm registry. This is an expected dependency for skills built with the tinyfish ecosystem as documented by the vendor.
Audit Metadata