recoup-roster-add-artist

Pass

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill utilizes the vendor's own platform APIs and established music industry data sources to perform artist management tasks. All external network interactions are consistent with the skill's stated purpose.
  • [PROMPT_INJECTION]: Analysis identified a surface for indirect prompt injection during the artist enrichment phase.
  • Ingestion points: Artist metadata and social media information are fetched from Spotify APIs and external web searches (SKILL.md, Steps 4 and 6).
  • Boundary markers: Not present; data is written into markdown templates (RELEASE.md, artist-template.md) without explicit markers to isolate untrusted content from the agent's instructional context.
  • Capability inventory: The skill possesses file-write capabilities (scaffolding RELEASE.md and updating RECOUP.md) and network-write capabilities (PATCHing artist profiles on the platform API).
  • Sanitization: No explicit sanitization, validation, or escaping of the ingested external content was observed in the instruction flow.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 24, 2026, 11:34 PM