recoup-roster-add-artist
Pass
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill utilizes the vendor's own platform APIs and established music industry data sources to perform artist management tasks. All external network interactions are consistent with the skill's stated purpose.
- [PROMPT_INJECTION]: Analysis identified a surface for indirect prompt injection during the artist enrichment phase.
- Ingestion points: Artist metadata and social media information are fetched from Spotify APIs and external web searches (SKILL.md, Steps 4 and 6).
- Boundary markers: Not present; data is written into markdown templates (RELEASE.md, artist-template.md) without explicit markers to isolate untrusted content from the agent's instructional context.
- Capability inventory: The skill possesses file-write capabilities (scaffolding RELEASE.md and updating RECOUP.md) and network-write capabilities (PATCHing artist profiles on the platform API).
- Sanitization: No explicit sanitization, validation, or escaping of the ingested external content was observed in the instruction flow.
Audit Metadata