pci-compliance
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data, which creates a surface for indirect prompt injection.
- Ingestion points: Cardholder data and user input enter the skill through the PaymentData class and the sanitize_input function.
- Boundary markers: No delimiters or instructions to ignore embedded commands are present in the processing logic.
- Capability inventory: The skill utilizes the stripe library for network-based payment operations and manages sensitive data structures within a TokenVault.
- Sanitization: The provided sanitize_input function is an unimplemented placeholder.
- [COMMAND_EXECUTION]: The skill references an internal utility script located at scripts/audit-payment-system.sh for automated compliance auditing.
- [EXTERNAL_DOWNLOADS]: The skill depends on established and well-known Python packages including stripe, cryptography, and flask.
- [CREDENTIALS_UNSAFE]: Code snippets contain standard non-functional placeholders for Stripe secret and public keys such as sk_... and pk_....
Audit Metadata