esports
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill makes network requests to
api.opendota.comandlol.fandom.comto fetch match and tournament data. These are established public services for gaming statistics. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes data from Leaguepedia (a Fandom wiki), which is user-generated and could be manipulated to include malicious instructions.
- Ingestion points: Data retrieved via
lol_cargo_queryand other Leaguepedia/OpenDota commands (SKILL.md). - Boundary markers: None implemented in the provided instructions to differentiate data from instructions.
- Capability inventory: The skill allows querying external tables and fields, which are then processed by the agent (SKILL.md).
- Sanitization: No evidence of sanitization or filtering of the external API responses before they are returned to the agent context.
Audit Metadata