evaluate-campaign
Pass
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
bunruntime to execute various utility scripts, such asmanifest-sync.tsandappend-loop-result.ts, for managing project metadata and campaign ledgers. - [DATA_EXFILTRATION]: The
scripts/lib/hosted-api.tsfile reads configuration and credential files from the user's home directory (e.g.,~/.config/forsvn/api-key,~/.config/forsvn/credentials.json) to authenticate telemetry and data requests to the vendor's API atapi.forsvn.com. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to
api.forsvn.comto download content packs, retrieve project context, and upload metrics as part of its normal operation. - [PROMPT_INJECTION]: The skill ingests data from external sources like CRM exports and analytics platforms, which represents an indirect prompt injection surface.
- Ingestion points: External metrics and CRM data are ingested through
agents/metric-ingest-agent.mdandagents/diagnosis-agent.md. - Boundary markers: The skill does not implement explicit boundary markers or delimiters for external data within its agent prompts to separate untrusted content from instructions.
- Capability inventory: The skill has access to
Bash,Write, andEdittools, and includes scripts likemanifest-sync.tsandappend-loop-result.tsthat can modify the filesystem. - Sanitization:
scripts/append-loop-result.tsprovides basic sanitization by rejecting inputs that contain tab or newline characters to protect the integrity of the project's TSV ledgers.
Audit Metadata