pre-visit-plan
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it incorporates untrusted data from external industry research and judicial platforms into its planning workflow.
- Ingestion points: Workflow Step 4 (Risk signal retrieval from external platforms) and Step 5 (Industry dynamic retrieval via internet search) in
SKILL.md. - Boundary markers: The workflow lacks explicit delimiters or instructions to ignore potential commands embedded in the retrieved external data.
- Capability inventory: The ingested data influences the generation of visit reports, which are subsequently used by downstream banking skills like
visit-memoandsubmit-credit-application. - Sanitization: There is no evidence of filtering or sanitization of the content fetched from external sources before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill executes a local Python script for report validation at both the start and end of its workflow.
- Evidence:
SKILL.mdWorkflow Steps 0 and 9 invokescripts/validate_visit_plan.pyto ensure input and output compliance. - Context: The script is bundled with the skill, performs purely local validation of report structure, and does not exhibit malicious behavior or require external dependencies.
Audit Metadata