data360-schema-get

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [SAFE]: The skill uses the official Salesforce CLI (sf) to manage authentication tokens securely via the sf org display command. The Python scripts implement subprocess.run with a list of arguments, which is a recommended practice to prevent shell injection vulnerabilities.
  • [SAFE]: The skill relies on well-known and standard dependencies (requests, pyyaml) from the official Python Package Index (PyPI). Although pyyaml is listed as a prerequisite but not actively imported in the provided scripts, its presence is benign.
  • [PROMPT_INJECTION]: The skill identifies an indirect prompt injection surface as it processes metadata (field names, labels, and descriptions) retrieved from Salesforce Data Cloud and presents it directly to the agent. This metadata is potentially attacker-controlled if an adversary has permissions to modify schema descriptions within the target Salesforce environment.
  • Ingestion points: Data retrieved from the /services/data/v64.0/ssot/ REST endpoints in scripts/get_dlo_schema.py and scripts/get_dmo_schema.py.
  • Boundary markers: The output is presented to the user/agent without explicit boundary markers or instructions to ignore embedded commands.
  • Capability inventory: The skill is restricted to reading metadata and printing it to the console; it lacks capabilities for file writing, arbitrary command execution from remote data, or unauthorized network exfiltration.
  • Sanitization: No specific sanitization or filtering of the retrieved metadata is performed before presentation.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 02:37 PM
Security Audit — agent-trust-hub — data360-schema-get