ai-hr-performance-review

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFE
Full Analysis
  • [DATA_INGESTION]: The skill ingests untrusted external data through several parameters defined in references/form-schema.json, including materialText (direct text), materialFile (file uploads like .xlsx or .csv), and materialUrl (external reference links). While this creates a surface for indirect prompt injection, it is the primary purpose of the skill.
  • [COMMAND_EXECUTION]: The skill includes a Python runner (scripts/run.py) designed to interact with the vendor's API at https://ai-skills.ai. This script handles authentication via an environment variable (AISKILLS_API_KEY) and manages asynchronous task polling, which is standard behavior for API-based tools.
  • [EXTERNAL_DOWNLOADS]: The scripts/run.py script may optionally utilize the certifi Python package to manage SSL certificate verification. This is a standard security practice for making secure HTTPS requests.
  • [NETWORK_OPERATIONS]: All network traffic from the runner is directed to the vendor's infrastructure (ai-skills.ai) for processing, and no sensitive local system data (such as SSH keys or AWS credentials) is accessed or transmitted.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 03:30 AM
Security Audit — agent-trust-hub — ai-hr-performance-review