building-sf-integrations
Warn
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/configure-named-credential.shexecutes shell commands using the Salesforce CLI (sf) to query data and run Apex code. It dynamically constructs commands and scripts using shell variables. - [REMOTE_CODE_EXECUTION]: The script
scripts/configure-named-credential.shgenerates a temporary Apex file by interpolating user-supplied variables ($EXTERNAL_CREDENTIAL_NAME,$PRINCIPAL_NAME, and$API_KEY) into a code template. This file is then executed on the target Salesforce org viasf apex run. Because the variables are not sanitized before interpolation, a malicious actor could provide an input (such as an API key containing Apex code fragments) to inject and execute arbitrary code on the Salesforce platform. - [DYNAMIC_EXECUTION]: The skill utilizes
mktempto create executable Apex scripts at runtime. This pattern of generating and then executing code from temporary files is a known attack vector if the generation process can be influenced by untrusted input. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process OpenAPI/Swagger specifications for External Services (as seen in
assets/external-services/). These specifications represent an attack surface where maliciously crafted external data could attempt to influence the agent's behavior or the generated integration code. - Ingestion points: OpenAPI JSON/YAML strings in
.externalServiceRegistration-meta.xmlfiles. - Boundary markers: None explicitly defined in the provided templates to isolate external schema content.
- Capability inventory: Subprocess execution of
sfCLI commands in helper scripts; file-writing operations for metadata deployment. - Sanitization: No explicit validation or sanitization of the OpenAPI schema content is performed before processing.
Audit Metadata