cja-kpi-pulse
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses bash commands to write the generated HTML report to the
/tmpdirectory and uses theopencommand to display the file to the user. This is a functional requirement for its reporting capabilities.\n- [INDIRECT_PROMPT_INJECTION]: The skill creates a surface for indirect injection by processing metric and dimension data from external sources and interpolating them into an HTML template.\n - Ingestion points: Data retrieved from
runReport,findMetrics, andlistComponentUsage.\n - Boundary markers: None explicitly defined for the HTML generation phase.\n
- Capability inventory: The skill can write files to
/tmpand execute theopencommand.\n - Sanitization: The skill provides logic for number and currency formatting, although it does not explicitly specify escaping for text-based dimension values during HTML assembly.
Audit Metadata