full-engagement-pipeline

Pass

Audited by Gen Agent Trust Hub on Jul 8, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process untrusted external files, such as 'messy folders of bank statements', 'receipts', and 'mixed PDFs' during its smart-intake and folder-dump operations. These documents could contain malicious instructions meant to influence the agent's behavior during data extraction or classification.
  • Ingestion points: Folder dumps, bank statements, receipts, and PDFs processed in the 'smart-intake' and 'source-documents' stages.
  • Boundary markers: While the skill loads 'shared/guardrails.md', the SKILL.md does not specify clear delimiters or boundary markers for the content being processed from external files.
  • Capability inventory: The skill has the capability to read/write files (JSON, Markdown, Beancount), update engagement state files, and trigger the execution of other sub-skills.
  • Sanitization: No specific sanitization or validation of the content within the ingested documents is described in the orchestration logic.
  • [COMMAND_EXECUTION]: The pipeline references the execution of system-level tools such as 'bean-check' for validating Beancount files and 'fava' for launching a web-based financial UI. These interactions with the host system are part of the intended accounting workflow but represent a standard command execution surface.
  • [DYNAMIC_EXECUTION]: The skill implements a dynamic orchestration mechanism that 'loads' and executes other sub-skills at runtime based on the state of the engagement pipeline. It reads 'SKILL.md' files from a plugin path and executes them sequentially. This architecture creates a chain of dependencies where the security of the pipeline relies on the integrity of the referenced skill files.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 8, 2026, 08:04 PM
Security Audit — agent-trust-hub — full-engagement-pipeline