Skills
skills/useautumn/skills/autumn-create-customer/Gen Agent Trust Hub

autumn-create-customer

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (LOW): The skill requires the installation of the autumn-js (Node.js) and autumn-py (Python) packages. These dependencies are not maintained by a 'Trusted Organization' as defined in the security framework.
  • [PROMPT_INJECTION] (LOW): The skill presents a surface for indirect prompt injection by ingesting untrusted session data into API requests. Evidence Chain: 1. Ingestion point: session object variables in the autumnHandler function; 2. Boundary markers: Absent; 3. Capability inventory: Network requests via the Autumn SDK; 4. Sanitization: Not explicitly shown in the provided snippets.
  • [DATA_EXFILTRATION] (SAFE): The skill transmits customer identifying information (ID, name, email) to the Autumn API. This activity is the intended primary purpose of the skill and does not access unauthorized sensitive files.
  • [CREDENTIALS_UNSAFE] (SAFE): The skill recommends using environment variables (AUTUMN_SECRET_KEY) for secret keys and provides non-sensitive placeholders for testing.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 04:34 PM