mercury
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill constructs and executes shell commands using
bash -c. While intended to facilitate variable expansion for the API token, this creates a potential command injection surface if the agent populates placeholders (e.g.,<your-account-id>) with untrusted or malicious strings retrieved from external data. - [DATA_EXFILTRATION] (LOW): The skill transmits sensitive financial data to
api.mercury.com. While this is the primary purpose of the skill, users should be aware of the data flow to this third-party service. - [DATA_EXFILTRATION] (LOW): Sensitive information, including bank account numbers, routing numbers, and transaction details, is written to
/tmp/mercury_request.json. In multi-user or shared environments, files in/tmpmay be accessible by other processes or users. - [PROMPT_INJECTION] (LOW): Indirect Prompt Injection:
- Ingestion points: Data retrieved from Mercury API responses (e.g., transaction notes, customer names) are processed by the agent.
- Boundary markers: None present to distinguish API data from instructions.
- Capability inventory: File system access (
/tmp), network access (curl), and shell execution (bash). - Sanitization: No evidence of sanitization or validation of the data returned by the API before it is used in the agent's context.
Audit Metadata