mobile-platform-native-capabilities-integrate
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is authored by Salesforce (forcedotcom) and provides documentation for standard, official mobile platform APIs. All external references point to legitimate Salesforce developer documentation.
- [DATA_EXPOSURE]: The skill documents methods to access sensitive device data, including GPS location, contacts, calendar events, and biometrics. This access is the primary intended purpose of the skill and is implemented through official Salesforce mobile container APIs which require user permissions and availability gating.
- [INDIRECT_PROMPT_INJECTION]: The skill facilitates the ingestion of untrusted data from external sources such as NFC tags, Barcodes, and Document Scanners. This creates a surface for indirect prompt injection if the resulting data is subsequently processed by an LLM without sanitization.
- Ingestion points: Data enters the system via
NfcService.read(),BarcodeScanner.scan(), andDocumentScanner.scan()methods described in the reference files. - Boundary markers: Not defined in the API types; the instructions recommend handling specific failure codes and graceful degradation, but do not explicitly mandate prompt boundaries for data retrieved from hardware.
- Capability inventory: The skill allows reading and writing to device hardware (NFC, Contacts, Calendar) within the context of the Salesforce Mobile App container.
- Sanitization: The API definitions do not include built-in sanitization; developers are responsible for validating and escaping data returned from these services before further use.
Audit Metadata