sales-read-ai
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface via a self-modifying feedback loop.
- Ingestion points: The agent is instructed to read
references/learnings.mdat the start of Step 1 inSKILL.mdto gather context from previous interactions. - Boundary markers: There are no boundary markers or instructions to treat the content of
references/learnings.mdas untrusted data. - Capability inventory: The agent is directed to append new "gotchas, workarounds, or tips" to
references/learnings.mdin Step 4, enabling the persistence of content from the current conversation into the persistent storage file. - Sanitization: No sanitization or validation of the data being written to or read from the learnings file is implemented.
- [COMMAND_EXECUTION]: The skill provides several shell commands for installing related extensions.
- Evidence:
SKILL.mdincludes commands likenpx skills add sales-skills/sales --skill sales-note-taker -a claude-code -y. - Context: These commands facilitate the installation of additional skills from the same author repository.
- [EXTERNAL_DOWNLOADS]: The skill references multiple external endpoints for the Read.ai platform and automation services.
- Endpoints: Documentation points to
https://api.read.ai/mcp/for MCP server access,https://api.read.ai/for REST API access, and integrations with Zapier and n8n. - Context: These are legitimate endpoints for the primary service the skill is designed to support.
Audit Metadata