usaspending-api-helper
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Prompt Injection] (SAFE): No instructions to bypass safety filters or override agent behavior were found.
- [Data Exposure & Exfiltration] (SAFE): No hardcoded credentials, sensitive file paths, or unauthorized network operations were detected. The skill references legitimate, public government API endpoints.
- [Obfuscation] (SAFE): No encoded, hidden, or deceptive content was identified in the file.
- [Unverifiable Dependencies & Remote Code Execution] (SAFE): The skill does not request the installation of external packages or provide mechanisms for remote script execution.
- [Privilege Escalation] (SAFE): No commands for acquiring elevated permissions were found.
- [Persistence Mechanisms] (SAFE): The skill does not contain instructions for maintaining unauthorized persistent access.
- [Metadata Poisoning] (SAFE): The skill's metadata accurately reflects its stated purpose and functionality.
- [Indirect Prompt Injection] (SAFE): The skill describes ingestion points for data from the USA Spending API (Ingestion points: SKILL.md), but it lacks any dangerous capabilities like file writing or subprocess execution (Capability inventory: None). Additionally, it recommends input validation as a best practice (Sanitization: SKILL.md).
- [Time-Delayed / Conditional Attacks] (SAFE): No conditional logic for triggering malicious behavior was found.
- [Dynamic Execution] (SAFE): No runtime code generation, unsafe deserialization, or dynamic loading of untrusted modules was identified.
Audit Metadata