company-deep-dive

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill ingests untrusted data from web searches and extractions, which is interpolated into prompts for the main agent and sub-agents. This creates a surface for indirect prompt injection.\n
  • Ingestion points: Search results and extracted page content from the nimble CLI.\n
  • Boundary markers: None identified in the prompt templates.\n
  • Capability inventory: The skill uses Bash for shell operations and the Agent tool with bypassPermissions for sub-task execution.\n
  • Sanitization: Content is used directly as returned by the web data API without specific sanitization filters.\n- [EXTERNAL_DOWNLOADS]: Onboarding instructions require installing the @nimbleway/cli package via npm, which is the official CLI tool provided by the vendor.\n- [COMMAND_EXECUTION]: The skill uses Bash to invoke the nimble CLI, manage a local file-based memory system in ~/.nimble/, and perform date arithmetic.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 08:25 PM
Security Audit — agent-trust-hub — company-deep-dive