cja-segment-performance-comparator

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill references Google Fonts (fonts.googleapis.com) in its HTML template. Google is a well-known and trusted service provider, and this reference is standard for styling generated reports.
  • [COMMAND_EXECUTION]: The skill utilizes the open command to display the generated HTML report from the /tmp/ directory. This is an expected and functional behavior for a tool whose primary purpose is to provide visual data analysis.
  • [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface because it processes data from API responses (segment names and metric values) and renders them in an HTML report.
  • Ingestion points: Data entering the context from findSegments, describeSegment, and runReport tool outputs.
  • Boundary markers: Not explicitly defined in the template interpolation instructions.
  • Capability inventory: The skill has file-write access to /tmp/ and the ability to execute the open command.
  • Sanitization: There are no explicit instructions to sanitize or escape data before it is inserted into the HTML placeholders. However, given the context of a business analytics tool and the trusted nature of the data source, this is characterized as a minor architectural observation rather than a malicious finding.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 11:50 PM
Security Audit — agent-trust-hub — cja-segment-performance-comparator