prior-auth-review-skill
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted clinical documentation (PDFs) and request forms, creating a surface for indirect prompt injection. Maliciously crafted content within these documents could potentially influence the AI's medical necessity assessment or decision rationale.
- Ingestion points:
references/01-intake-assessment.md(Step 1: Collect PA Request Information). - Boundary markers: The skill does not define clear delimiters or specific instructions for the agent to ignore embedded commands within the extracted clinical text.
- Capability inventory: The skill calls several MCP tools (NPI, ICD-10, CMS Coverage), performs WebFetch operations, and writes decision/assessment data to the local file system.
- Sanitization: There is no explicit sanitization or validation logic described for the clinical data extracted from user-provided documentation.
- [DATA_EXFILTRATION]: The skill handles sensitive Protected Health Information (PHI) and Personally Identifiable Information (PII). This data is stored in local waypoint files (waypoints/assessment.json) and components of it are used as parameters in WebFetch calls to the external CMS Physician Fee Schedule website for code validation.
- [EXTERNAL_DOWNLOADS]: Fetches configuration and medical code details from the official CMS Physician Fee Schedule website (cms.gov) via the WebFetch tool. This targets a well-known and official service for its intended functionality.
Audit Metadata