sf-payments

Pass

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill enforces PCI DSS SAQ-A compliance by instructing the agent to use tokenization and hosted payment fields (iframes), ensuring that raw cardholder data is never processed or stored on the merchant's servers.
  • [SAFE]: Security best practices for credential management are explicitly defined, directing the user to store API keys in Salesforce Named Credentials or Custom Settings rather than hardcoding them in scripts.
  • [SAFE]: The documentation encourages the implementation of webhook signature verification to secure asynchronous payment events against unauthorized requests.
  • [SAFE]: Ingestion of external data via WebSearch and WebFetch for live documentation (Salesforce Payments, Stripe, Adyen guides) represents a potential surface for indirect prompt injection. However, this risk is mitigated by the skill's primary focus on security-first implementation and the necessity of up-to-date API references for payment integrations.
  • Ingestion points: WebSearch and WebFetch tools used to retrieve live API and compliance documentation in the 'Before Writing Code' section.
  • Boundary markers: Not explicitly defined for external fetched content.
  • Capability inventory: Read, Write, Edit, Bash, Grep, Glob tools are available to the agent.
  • Sanitization: No explicit sanitization or filtering of fetched documentation is mentioned, though the skill provides a strong conceptual framework for secure implementation.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 29, 2026, 02:51 PM
Security Audit — agent-trust-hub — sf-payments