cja-segment-performance-comparator
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill references Google Fonts (fonts.googleapis.com) in its HTML template. Google is a well-known and trusted service provider, and this reference is standard for styling generated reports.
- [COMMAND_EXECUTION]: The skill utilizes the
opencommand to display the generated HTML report from the/tmp/directory. This is an expected and functional behavior for a tool whose primary purpose is to provide visual data analysis. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface because it processes data from API responses (segment names and metric values) and renders them in an HTML report.
- Ingestion points: Data entering the context from
findSegments,describeSegment, andrunReporttool outputs. - Boundary markers: Not explicitly defined in the template interpolation instructions.
- Capability inventory: The skill has file-write access to
/tmp/and the ability to execute theopencommand. - Sanitization: There are no explicit instructions to sanitize or escape data before it is inserted into the HTML placeholders. However, given the context of a business analytics tool and the trusted nature of the data source, this is characterized as a minor architectural observation rather than a malicious finding.
Audit Metadata