pre-visit-plan

Pass

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it incorporates untrusted data from external industry research and judicial platforms into its planning workflow.
  • Ingestion points: Workflow Step 4 (Risk signal retrieval from external platforms) and Step 5 (Industry dynamic retrieval via internet search) in SKILL.md.
  • Boundary markers: The workflow lacks explicit delimiters or instructions to ignore potential commands embedded in the retrieved external data.
  • Capability inventory: The ingested data influences the generation of visit reports, which are subsequently used by downstream banking skills like visit-memo and submit-credit-application.
  • Sanitization: There is no evidence of filtering or sanitization of the content fetched from external sources before it is processed by the agent.
  • [COMMAND_EXECUTION]: The skill executes a local Python script for report validation at both the start and end of its workflow.
  • Evidence: SKILL.md Workflow Steps 0 and 9 invoke scripts/validate_visit_plan.py to ensure input and output compliance.
  • Context: The script is bundled with the skill, performs purely local validation of report structure, and does not exhibit malicious behavior or require external dependencies.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 29, 2026, 06:40 AM
Security Audit — agent-trust-hub — pre-visit-plan