subscription-offers

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting content from the user's local environment to drive its generation logic.
  • Ingestion points: The skill uses Glob and Grep tools to search and read existing project files, specifically those matching patterns like **/*Offer*.swift and **/*Eligibility*.swift.
  • Boundary markers: No specific boundary markers or 'ignore' instructions are used to prevent the agent from following malicious commands that might be embedded in the read project files.
  • Capability inventory: The skill utilizes Write and Edit tools to create and modify multiple files within the user's project directory based on the ingested data.
  • Sanitization: There is no evidence of content validation or sanitization of the data read from the local files before it is processed by the model.
  • [DATA_EXFILTRATION]: The skill provides templates that implement network communication with an external, non-whitelisted server.
  • Evidence: The OfferSignatureProvider.swift template in templates.md contains code to perform POST requests to https://your-server.com/api/offer-signature.
  • Details: The generated code transmits productID, offerID, and applicationUsername to the remote endpoint. While this is a standard requirement for StoreKit promotional offers, it constitutes a pattern of data transmission to a non-whitelisted external domain.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 05:18 PM
Security Audit — agent-trust-hub — subscription-offers