voice-dossier-builder
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from emails, pitch decks, and social media exports.
- Ingestion points: Raw text from emails, decks, and social media platforms (LinkedIn, X, 小红书, etc.) are ingested to extract brand voice.
- Boundary markers: The instructions include a manual guardrail directing the agent to treat these inputs as untrusted per [SECURITY.md] and explicitly stating that input text should not be allowed to modify security-sensitive lists like banned phrases.
- Capability inventory: The skill writes analysis results to various memory/ locations, including candidates.md, which are subsequently used by other skills to generate content.
- Sanitization: The skill relies on natural language instructions for the AI to ignore embedded commands rather than programmatic sanitization.
- [COMMAND_EXECUTION]: The skill uses local Python scripts to fetch data from open social profiles.
- Evidence: It utilizes scripts/connectors/bluesky.py and fediverse.py for open own-profile pulls.
Audit Metadata