commerce-b2b-open-code-components-replace
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it ingests untrusted data from local
content.jsonandsfdx-project.jsonfiles. While the skill is instructed to only modify specific JSON keys (definition) based on an authoritative mapping, an attacker could attempt to embed malicious instructions within these files to influence agent behavior during the parsing or reporting phases. - Ingestion points: Reads
sfdx-project.jsonin the project root andcontent.jsonfiles within the site metadata directories. - Boundary markers: The instructions do not explicitly mandate delimiters or 'ignore embedded instructions' prompts when reading these files, though the focus is strictly on JSON structure.
- Capability inventory: The skill has access to
Bash(grep, ls),Read, andWritetools, allowing it to discover, read, and modify files on the local filesystem. - Sanitization: The skill uses a JSON parser (implied by the use of the Read tool for JSON) and a static mapping file (
assets/ootb-to-open-code-mapping.json) to validate replacements, which significantly limits the impact of potentially malicious content in thedefinitionfields. - [COMMAND_EXECUTION]: The skill uses
grepfor file discovery andlsto verify the presence of components in a local clone. These commands use literal search strings and are scoped to the project directory or a specific temporary directory (.tmp/b2b-commerce-open-source-components), minimizing the risk of command injection.
Audit Metadata