gpc-user-management
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on shell command execution to interface with the
gpcCLI tool. This is performed via the agent's command environment and a Node.js detection script (scripts/detect_gpc.mjs) that usesexecSyncto verify installation and configuration. - [PROMPT_INJECTION]: The skill's functionality for importing testers from CSV files (
gpc testers import --file testers.csv) constitutes an indirect prompt injection surface by ingesting external data. - Ingestion points: Local CSV files containing tester email addresses.
- Boundary markers: No explicit delimiter or instruction-ignore markers are specified for the CSV content.
- Capability inventory: The agent can add, remove, and list users and testers in a Google Play developer account.
- Sanitization: No sanitization or validation logic is present in the provided skill files.
- [EXTERNAL_DOWNLOADS]: The skill suggests using
npxto download and execute the@gpc-cli/clipackage from the NPM registry if it is not already available in the system path. - [CREDENTIALS_UNSAFE]: The skill accesses the
GPC_SERVICE_ACCOUNTenvironment variable to authenticate with Google Play services, representing a standard exposure of sensitive configuration for API access.
Audit Metadata