subscription-offers
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting content from the user's local environment to drive its generation logic.
- Ingestion points: The skill uses
GlobandGreptools to search and read existing project files, specifically those matching patterns like**/*Offer*.swiftand**/*Eligibility*.swift. - Boundary markers: No specific boundary markers or 'ignore' instructions are used to prevent the agent from following malicious commands that might be embedded in the read project files.
- Capability inventory: The skill utilizes
WriteandEdittools to create and modify multiple files within the user's project directory based on the ingested data. - Sanitization: There is no evidence of content validation or sanitization of the data read from the local files before it is processed by the model.
- [DATA_EXFILTRATION]: The skill provides templates that implement network communication with an external, non-whitelisted server.
- Evidence: The
OfferSignatureProvider.swifttemplate intemplates.mdcontains code to perform POST requests tohttps://your-server.com/api/offer-signature. - Details: The generated code transmits
productID,offerID, andapplicationUsernameto the remote endpoint. While this is a standard requirement for StoreKit promotional offers, it constitutes a pattern of data transmission to a non-whitelisted external domain.
Audit Metadata