Skills
skills/motion-creative/motion-creative-plugin/performance-analysis/Gen Agent Trust Hub

performance-analysis

Pass

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [SAFE]: The skill's design and logic align perfectly with its stated purpose of advertising performance analysis. It uses vendor-specific tools provided through the Model Context Protocol (MCP) for its primary operations.
  • [DATA_EXFILTRATION]: The skill accesses a local configuration file (motion-creative.config.md) located in the plugin's root directory. This is used for retrieving workspace-specific settings, which is a standard and safe operational practice for such tools.
  • [COMMAND_EXECUTION]: All tool usage is restricted to the tools listed in the frontmatter's allowed-tools section. The skill uses these tools solely for retrieving analytical data and interacting with the user.
  • [PROMPT_INJECTION]: The skill ingests untrusted data from API responses (e.g., campaign names, creative metadata) in SKILL.md. Ingestion points: get_creative_insights, get_demographic_breakdown, get_glossary_values. Boundary markers: Absent. Capability inventory: Agent tool (for workflow chaining), Read tool (for config and references), AskUserQuestion. Sanitization: Absent. This represents an indirect prompt injection surface; however, the risk is minimal as the ingested data is used for report generation and does not influence high-privilege operations.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 16, 2026, 01:00 AM
Security Audit — agent-trust-hub — performance-analysis