Skills
skills/machina-sports/sports-skills/cfb-data/Gen Agent Trust Hub

cfb-data

Warn

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill's setup instructions in SKILL.md direct the agent to install the sports-skills Python package from PyPI, which is an external dependency from an unverified source.
  • [COMMAND_EXECUTION]: The skill relies on executing the sports-skills command-line interface as shown in SKILL.md to perform its primary data retrieval and processing functions.
  • [PROMPT_INJECTION]: The skill ingests untrusted data from external ESPN public endpoints (specifically news headlines and game summaries via get_news and get_game_summary) without employing boundary markers or sanitization, creating a surface for indirect prompt injection. 1. Ingestion points: News headlines and game summaries fetched from ESPN APIs as described in SKILL.md and references/api-reference.md. 2. Boundary markers: Absent in instructions. 3. Capability inventory: Shell execution via the sports-skills CLI and the package manager. 4. Sanitization: Absent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 1, 2026, 02:48 AM