agentforce-test
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: Static analysis identified prompt injection patterns in
references/preview-testing.mdandassets/guardrail-test-spec.yaml. These were manually verified as part of the skill's 'Safety Probes' and 'Guardrail Tests' datasets. They are used as test utterances to verify that a target agent correctly deflects malicious input, rather than being instructions to the agent itself. - [DATA_EXFILTRATION]: The skill uses
sf org displayto retrieve Salesforce access tokens and instance URLs. These credentials are used to make authenticated REST API calls viacurlto the user's own Salesforce instance for the purpose of executing Flow and Apex actions. No evidence of data exfiltration to unauthorized third-party domains was found. - [COMMAND_EXECUTION]: The skill frequently executes shell commands including
sfCLI operations,curl, andpython3. These operations are well-documented and governed by explicit safety checks, such as verifying if the target org is a sandbox and warning the user before performing DML (write) operations on production data. - [INDIRECT_PROMPT_INJECTION]: The skill exhibits an indirect prompt injection attack surface as it processes
.agentand.yamlfiles to derive test cases. - Ingestion points: Reads local
.agentconfiguration files and YAML test specifications (assets/basic-test-spec.yaml,assets/guardrail-test-spec.yaml). - Boundary markers: The skill uses Python
re.subto strip control characters from CLI output before parsing, which provides a layer of defense against certain types of input-based disruption. - Capability inventory: The skill has the capability to write/edit local files, execute shell commands, and interact with Salesforce APIs.
- Sanitization: The skill includes clear instructions to avoid real PII in test data and provides warnings for production environments.
Audit Metadata