ai-hr-performance-review
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [DATA_INGESTION]: The skill ingests untrusted external data through several parameters defined in
references/form-schema.json, includingmaterialText(direct text),materialFile(file uploads like .xlsx or .csv), andmaterialUrl(external reference links). While this creates a surface for indirect prompt injection, it is the primary purpose of the skill. - [COMMAND_EXECUTION]: The skill includes a Python runner (
scripts/run.py) designed to interact with the vendor's API athttps://ai-skills.ai. This script handles authentication via an environment variable (AISKILLS_API_KEY) and manages asynchronous task polling, which is standard behavior for API-based tools. - [EXTERNAL_DOWNLOADS]: The
scripts/run.pyscript may optionally utilize thecertifiPython package to manage SSL certificate verification. This is a standard security practice for making secure HTTPS requests. - [NETWORK_OPERATIONS]: All network traffic from the runner is directed to the vendor's infrastructure (
ai-skills.ai) for processing, and no sensitive local system data (such as SSH keys or AWS credentials) is accessed or transmitted.
Audit Metadata