agentforce-observe

Pass

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Salesforce CLI (sf) to query data, retrieve metadata, and manage agent bundles. It also uses Unix utilities like grep, find, and jq to navigate local project files and process JSON output.
  • [REMOTE_CODE_EXECUTION]: The skill involves deploying a local Apex class (AgentforceOptimizeService.cls) to a Salesforce org using sf project deploy. This class serves as a service layer to fetch session and RAG metrics from Data Cloud. This is a functional requirement for the skill's diagnostic capabilities.
  • [PROMPT_INJECTION]: The skill processes session traces and conversation logs originating from Data Cloud, which include untrusted user input from production interactions. This represents a surface for indirect prompt injection where malicious utterances in the logs could attempt to influence the AI agent's analysis.
  • Ingestion points: Session data and conversation messages retrieved via the AgentforceOptimizeService Apex class.
  • Boundary markers: Not explicitly defined in the prompts that process the logs.
  • Capability inventory: The agent has access to Bash, Write, and Edit tools, and can execute CLI commands to modify Salesforce metadata.
  • Sanitization: The Apex service class uses String.escapeSingleQuotes() to sanitize query parameters, and Data Cloud queries are performed via the structured ConnectApi namespace.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 29, 2026, 01:58 PM
Security Audit — agent-trust-hub — agentforce-observe