entity-compliance
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFE
Full Analysis
- [External Data Processing]: The skill processes registered agent reports in various formats (PDF, CSV, Excel) to update its internal compliance tracker. This ingestion of external data represents a surface for indirect prompt injection if the source files contain malicious instructions. However, the skill's implementation is focused on structured data extraction and lacks network access, which effectively limits the risk profile.
- [Sensitive Information Access]: The skill reads and writes data to
~/.claude/plugins/config/claude-for-legal/, which contains corporate entity tables and jurisdiction details. This access is consistent with its stated purpose of maintaining a centralized compliance tracker. - [Security Control Implementation]: The instructions include an explicit requirement to defend against formula injection when exporting CSV or table data. It directs the agent to prefix potentially executable characters (such as
=,+, or-) with a single quote to prevent unauthorized code execution when the file is opened in spreadsheet software.
Audit Metadata