fda-database
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches regulatory drug data from the official openFDA REST API at api.fda.gov. This is a recognized government service for pharmacovigilance and product labeling.
- [PROMPT_INJECTION]: Indirect prompt injection vulnerability surface detected due to unsanitized interpolation of user input into API search queries.
- Ingestion points: User-provided drug names and active ingredients are directly placed into Elasticsearch-formatted query strings in SKILL.md.
- Boundary markers: Absent. The skill does not employ delimiters or specific instructions to separate user-provided data from the query syntax.
- Capability inventory: The skill uses the 'requests' library for network GET operations and the 'pandas' library to write data to local CSV files in SKILL.md.
- Sanitization: Absent. No escaping or validation is performed on input strings before they are used in the network request parameters, which could allow for query manipulation.
Audit Metadata