sf-flow
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection through its automated documentation generation process.
- Ingestion points: The
scripts/doc_generator.pyscript and various validator scripts inhooks/scripts/ingest user-controlled Salesforce Flow XML files (.flow-meta.xml). - Boundary markers: The markdown template used for documentation (
assets/flow-documentation-template.md) does not employ delimiters or explicit instructions to help the AI agent distinguish between the documentation structure and potentially malicious instructions embedded within the flow's metadata (e.g., in the<description>or<label>tags). - Capability inventory: The skill has the capability to write files to the local file system via the
doc_generator.pyscript. - Sanitization: There is no evidence of sanitization or escaping applied to the text extracted from the XML files before it is interpolated into the markdown reports, which could allow malicious instructions to influence the agent's behavior when it reads the generated documentation.
Audit Metadata