audit-marketing
Pass
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute local utility scripts such asskills/forsvn-slop/scan.tsandscripts/log-critic-override.tsto perform its core auditing functions. - [PROMPT_INJECTION]: The skill processes untrusted marketing draft data, representing an indirect prompt injection surface.
- Ingestion points: Untrusted content enters through marketing artifacts located in
docs/forsvn/artifacts/**/*.md. - Boundary markers: The skill uses a structured report template and a
protected_tokensmechanism to separate user content from instructions. - Capability inventory: The skill possesses the
Bash,Skill, andReadtools, enabling it to execute local scripts and dispatch sub-agents. - Sanitization: Security is maintained through a 're-verify gate' that re-scans fixed content to ensure that critical tokens (names, URLs, numbers) are preserved and that no new slop patterns were introduced.
- [SAFE]: The auxiliary script
log-critic-override.tsdemonstrates excellent security hygiene. - It implements directory traversal prevention by rejecting artifact paths containing
..or absolute paths. - It protects against symbolic link attacks by using
lstatSyncto verify directories and target files before writing. - It performs strict input validation on command-line arguments, including regex checks for skill names and newline detection to prevent injection into markdown logs.
Audit Metadata