workday
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill documentation follows security best practices, such as referencing environment variables for API keys rather than hardcoding them.
- [COMMAND_EXECUTION]: Provides informational shell commands (curl) to demonstrate API usage for coverage checks and interaction with the Apideck Proxy service.
- [EXTERNAL_DOWNLOADS]: References official documentation, OpenAPI specifications, and SDKs hosted on Apideck's and Workday's official domains.
- [PROMPT_INJECTION]: The skill facilitates the ingestion of external data from Workday (invoices, employees, jobs), which presents a surface for indirect prompt injection.
- Ingestion points: Data retrieved from Workday via apideck.accounting., apideck.hris., and apideck.ats.* methods in SKILL.md.
- Boundary markers: None present in the documentation examples.
- Capability inventory: The skill allows the agent to read and write records to Workday using the Apideck SDK.
- Sanitization: No explicit sanitization or validation logic is defined for processing the external data.
Audit Metadata