data360-schema-get
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill uses the official Salesforce CLI (
sf) to manage authentication tokens securely via thesf org displaycommand. The Python scripts implementsubprocess.runwith a list of arguments, which is a recommended practice to prevent shell injection vulnerabilities. - [SAFE]: The skill relies on well-known and standard dependencies (
requests,pyyaml) from the official Python Package Index (PyPI). Althoughpyyamlis listed as a prerequisite but not actively imported in the provided scripts, its presence is benign. - [PROMPT_INJECTION]: The skill identifies an indirect prompt injection surface as it processes metadata (field names, labels, and descriptions) retrieved from Salesforce Data Cloud and presents it directly to the agent. This metadata is potentially attacker-controlled if an adversary has permissions to modify schema descriptions within the target Salesforce environment.
- Ingestion points: Data retrieved from the
/services/data/v64.0/ssot/REST endpoints inscripts/get_dlo_schema.pyandscripts/get_dmo_schema.py. - Boundary markers: The output is presented to the user/agent without explicit boundary markers or instructions to ignore embedded commands.
- Capability inventory: The skill is restricted to reading metadata and printing it to the console; it lacks capabilities for file writing, arbitrary command execution from remote data, or unauthorized network exfiltration.
- Sanitization: No specific sanitization or filtering of the retrieved metadata is performed before presentation.
Audit Metadata