sales-app-extensibility
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection during Step 1 (Discovery). It ingests untrusted external data from user-provided URLs or documentation snippets (API Documentation Ingestion) to derive code structures.
- Ingestion points:
references/discovery-and-use-cases.md(API Documentation Ingestion section). - Boundary markers: Present; the skill requires the agent to summarize extracted data and wait for user confirmation before proceeding to code generation.
- Capability inventory: The skill generates React components, CSS, and documentation files, and provides shell commands for deployment (
SKILL.mdSteps 3-6). - Sanitization: Lacks automated sanitization of ingested text, relying primarily on the user confirmation step to mitigate malicious instructions embedded in documentation.
- [CREDENTIALS_UNSAFE]: The skill provides a 'Direct Auth' template in
references/code-templates-and-patterns.mdthat instructs the agent to place authentication headers directly into frontend code. While the skill correctly labels this as insecure and provides a 'VTEX IO Proxy' as the recommended secure alternative, the existence of the insecure template poses a risk of accidental credential exposure if used improperly. - [EXTERNAL_DOWNLOADS]: The workflow involves fetching external content (API documentation) via the agent's web browsing tools and installing vendor-specific dependencies using
yarnandnpx(e.g.,@vtex/fsp-cli,@vtex/sales-app). These operations target trusted vendor domains (vtex.com, fast.store). - [COMMAND_EXECUTION]: The skill generates and instructs the execution of shell commands for project initialization, local development, and building (e.g.,
yarn fsp build,npx fsp create). These are standard development operations for the VTEX platform.
Audit Metadata