recoup-content-asset-pack
Pass
Audited by Gen Agent Trust Hub on Jul 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches content generation templates, artist research data (audio analysis, milestones), and marketing metrics from the official Recoup API at api.recoupable.dev.
- [COMMAND_EXECUTION]: Utilizes standard system utilities including curl for API communication, jq for robust JSON processing, and sed for workspace configuration parsing.
- [PROMPT_INJECTION]: The skill implements an automated 'analyze-gate' check via a Stop hook which uses an LLM-based reviewer to verify that generated visual assets have passed a visual inspection API before the agent is permitted to finish the task.
- [PROMPT_INJECTION]: Indirect prompt injection risk surface:
- Ingestion points: Reads artist identity, audience behavior, and creative constraints from local workspace files (context/artist.md, context/audience.md) and fetches external research signals from the Recoup API.
- Boundary markers: Relies on instructional grounding in reference files rather than explicit string delimiters.
- Capability inventory: Capabilities include authenticated network requests (curl) to vendor APIs and writing generated assets and manifests to the local artist workspace.
- Sanitization: Employs jq and URI encoding to handle data safely when constructing API requests.
- [DATA_EXFILTRATION]: Accesses artist-specific identity and audience context stored in the local workspace to ground generation in the artist's brand voice; these signals are sent to the Recoup API to generate corresponding creative assets.
Audit Metadata