esports

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill makes network requests to api.opendota.com and lol.fandom.com to fetch match and tournament data. These are established public services for gaming statistics.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes data from Leaguepedia (a Fandom wiki), which is user-generated and could be manipulated to include malicious instructions.
  • Ingestion points: Data retrieved via lol_cargo_query and other Leaguepedia/OpenDota commands (SKILL.md).
  • Boundary markers: None implemented in the provided instructions to differentiate data from instructions.
  • Capability inventory: The skill allows querying external tables and fields, which are then processed by the agent (SKILL.md).
  • Sanitization: No evidence of sanitization or filtering of the external API responses before they are returned to the agent context.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 04:27 AM
Security Audit — agent-trust-hub — esports