iii-low-code-automation
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill defines an architecture for automation chains that ingest untrusted data from external entry points, creating a surface for indirect prompt injection.
- Ingestion points: External data enters the system through HTTP webhooks (form submissions, payment events) and RSS feeds fetched via cron triggers, as described in SKILL.md.
- Boundary markers: The skill instructions do not provide examples or requirements for using delimiters or 'ignore embedded instructions' warnings to isolate ingested data from agent logic.
- Capability inventory: The framework includes capabilities to persist data via (state::set), send external notifications (auto::notify-slack), and modify orders (auto::update-order), which could be leveraged if an injection occurs.
- Sanitization: There are no explicit instructions for validating or sanitizing external content before it is processed by the chain or an LLM.
- [SAFE]: The skill utilizes vendor-specific infrastructure, function IDs (auto::, state::), and engine primitives (registerWorker, registerFunction, TriggerAction) that are consistent with the vendor identity of the author (iii-hq).
Audit Metadata