Skills
skills/nostrband/servicegraph/find-design-agency/Gen Agent Trust Hub

find-design-agency

Pass

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: SAFECREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructs the agent to automatically scan for the SERVICEGRAPH_TOKEN in shell environment variables and local sensitive files including .env and .env.local. It explicitly directs the agent to 'use it; don't ask' if found, which bypasses user confirmation for accessing potentially sensitive configuration files.
  • [PROMPT_INJECTION]: The skill processes data from an external source (ServiceGraph API), which presents a surface for indirect prompt injection.
  • Ingestion points: External data enters the agent context via responses from the api.servicegraph.co API endpoints (/v1/search, /v1/get).
  • Boundary markers: No explicit delimiters or instructions are provided to the agent to treat API-returned content as untrusted or to ignore embedded instructions.
  • Capability inventory: The skill utilizes network operations via curl, fetch, or requests to interact with the external API.
  • Sanitization: There is no evidence of sanitization or validation logic for the content retrieved from the API before it is presented to the user or processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 8, 2026, 08:53 AM
Security Audit — agent-trust-hub — find-design-agency