Skills
skills/almandsky/agentforce-adlc/observing-agentforce/Gen Agent Trust Hub

observing-agentforce

Pass

Audited by Gen Agent Trust Hub on Apr 8, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Deploys a vendor-authored Apex class (AgentforceOptimizeService.cls) to the Salesforce environment to enable specialized STDM (Session Trace Data Model) queries.
  • [COMMAND_EXECUTION]: Extensively uses the Salesforce CLI (sf) to interact with the target org, query data, and manage agent preview sessions, including the use of dynamically generated Apex scripts via the sf apex run command.
  • [PROMPT_INJECTION]: Vulnerable to indirect prompt injection as it ingests and processes raw conversation traces (user utterances and agent responses) from production sessions.
  • Ingestion points: Data Cloud query results and local trace files from sf agent preview.
  • Boundary markers: The instructions lack explicit delimiters or warnings to ignore instructions embedded within the processed trace data.
  • Capability inventory: The skill has access to powerful tools including Bash, Write, and Edit, which could be abused if the agent inadvertently follows instructions in the ingested data.
  • Sanitization: Conversation content is presented for analysis without escaping or filtering of potentially malicious instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 8, 2026, 07:59 PM