sf-payments
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill enforces PCI DSS SAQ-A compliance by instructing the agent to use tokenization and hosted payment fields (iframes), ensuring that raw cardholder data is never processed or stored on the merchant's servers.
- [SAFE]: Security best practices for credential management are explicitly defined, directing the user to store API keys in Salesforce Named Credentials or Custom Settings rather than hardcoding them in scripts.
- [SAFE]: The documentation encourages the implementation of webhook signature verification to secure asynchronous payment events against unauthorized requests.
- [SAFE]: Ingestion of external data via
WebSearchandWebFetchfor live documentation (Salesforce Payments, Stripe, Adyen guides) represents a potential surface for indirect prompt injection. However, this risk is mitigated by the skill's primary focus on security-first implementation and the necessity of up-to-date API references for payment integrations. - Ingestion points:
WebSearchandWebFetchtools used to retrieve live API and compliance documentation in the 'Before Writing Code' section. - Boundary markers: Not explicitly defined for external fetched content.
- Capability inventory:
Read,Write,Edit,Bash,Grep,Globtools are available to the agent. - Sanitization: No explicit sanitization or filtering of fetched documentation is mentioned, though the skill provides a strong conceptual framework for secure implementation.
Audit Metadata