agentforce-observe
Warn
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates and executes shell commands involving the
sfCLI and standard Unix utilities (find,grep,jq,python3) to manipulate the local file system and interact with Salesforce environments. - [REMOTE_CODE_EXECUTION]: The skill uses dynamic execution by generating Apex scripts at runtime and executing them in the Salesforce Org via the
sf apex runcommand. It also deploys a custom Apex service class (AgentforceOptimizeService) and modifies agent behavior throughsf agent publish, both of which represent code execution in the remote environment. - [PROMPT_INJECTION]: The skill ingests untrusted data from Salesforce Data Cloud session traces, which include raw user utterances and model responses. This data could contain malicious instructions designed to influence the analyzing agent's behavior.
- Ingestion points: Conversation logs and LLM step details retrieved via methods documented in
references/stdm-queries.mdandreferences/stdm-schema.md. - Boundary markers: Absent; the skill does not instruct the agent to use delimiters or 'ignore' warnings when processing retrieved trace content.
- Capability inventory: The agent possesses high-privilege capabilities including arbitrary Apex execution (
sf apex run), metadata deployment (sf project deploy start), and agent publication (sf agent publish). - Sanitization: No explicit sanitization or validation of the retrieved trace data is performed before it is processed by the agent context.
Audit Metadata