Skills
skills/orcaqubits/agentic-commerce-skills-plugins/ucp-orders-webhooks/Gen Agent Trust Hub

ucp-orders-webhooks

Pass

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch specifications from ucp.dev and a conformance test suite from github.com/Universal-Commerce-Protocol/conformance. These are external resources specific to the protocol implementation and are necessary for the skill's stated purpose.\n- [PROMPT_INJECTION]: The skill uses WebSearch and WebFetch to retrieve live specifications from external sources, which presents an attack surface for indirect prompt injection if the fetched content is maliciously crafted.\n
  • Ingestion points: Specification documents and reference material from ucp.dev and web search results are ingested into the agent context.\n
  • Boundary markers: No specific delimiters or safety instructions are provided to the agent for processing the external content.\n
  • Capability inventory: The skill allows use of Bash, Write, and Edit tools, which could be targeted by instructions hidden in external data.\n
  • Sanitization: There are no instructions for sanitizing or validating the fetched specification data.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 31, 2026, 06:09 AM