gpc-purchase-orders
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents the use of the
gpccommand-line utility for managing purchases, subscriptions, and orders. The commands are standard for billing management tasks. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill handles transaction identifiers and purchase tokens as arguments to the
gpctool. This behavior is consistent with the tool's intended use for verifying transactions, and no evidence of unauthorized data exfiltration was found. - [INDIRECT_PROMPT_INJECTION]: The skill can ingest external data via the
gpc external-transactions create --file tx.jsoncommand. This presents a potential surface for indirect prompt injection if the JSON file contents are sourced from untrusted parties. - Ingestion points: External transaction data from
tx.json(SKILL.md). - Boundary markers: None specified in the instructions.
- Capability inventory: Shell command execution via
gpc(SKILL.md). - Sanitization: No explicit sanitization steps for the file input are provided in the skill instructions.
Audit Metadata