kibo-ecommerce
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends using official software development kits from the platform vendor, such as
@kibocommerce/rest-sdkand@kibocommerce/graphql-client. These are hosted on standard registries and are legitimate for the skill's purpose. - [COMMAND_EXECUTION]: Documentation includes standard CLI commands for the platform's development workflow, such as using Yeoman (
yo) for scaffolding and Grunt for bundling API extensions. These are routine development operations. - [INDIRECT_PROMPT_INJECTION]: The skill describes processing untrusted data from external sources like webhooks and storefront inputs. It correctly identifies the attack surface and provides mitigation guidance, such as recommending callback verification for event payloads and explicitly warning against XSS by advising HTML sanitization on the storefront. (Assessment: SAFE)
- [DATA_EXFILTRATION]: No exfiltration patterns were found. The skill emphasizes secure handling of credentials using environment variables and strictly follows PCI compliance standards by requiring card tokenization at the dedicated PCI host instead of the main API.
Audit Metadata