agentforce-observe
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Salesforce CLI (
sf) to query data, retrieve metadata, and manage agent bundles. It also uses Unix utilities likegrep,find, andjqto navigate local project files and process JSON output. - [REMOTE_CODE_EXECUTION]: The skill involves deploying a local Apex class (
AgentforceOptimizeService.cls) to a Salesforce org usingsf project deploy. This class serves as a service layer to fetch session and RAG metrics from Data Cloud. This is a functional requirement for the skill's diagnostic capabilities. - [PROMPT_INJECTION]: The skill processes session traces and conversation logs originating from Data Cloud, which include untrusted user input from production interactions. This represents a surface for indirect prompt injection where malicious utterances in the logs could attempt to influence the AI agent's analysis.
- Ingestion points: Session data and conversation messages retrieved via the
AgentforceOptimizeServiceApex class. - Boundary markers: Not explicitly defined in the prompts that process the logs.
- Capability inventory: The agent has access to
Bash,Write, andEdittools, and can execute CLI commands to modify Salesforce metadata. - Sanitization: The Apex service class uses
String.escapeSingleQuotes()to sanitize query parameters, and Data Cloud queries are performed via the structuredConnectApinamespace.
Audit Metadata