observing-agentforce
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill deploys a custom Apex class,
AgentforceOptimizeService.cls, to the Salesforce org to query Data Cloud Session Trace Data Model (STDM) objects. This code runs on the Salesforce platform. The source code is provided for review within the skill package and is necessary for gathering historical performance data. - [COMMAND_EXECUTION]: Extensively uses the Salesforce CLI (
sf), Python one-liners, and standard shell utilities (grep,sed,find,jq) to query org data, parse JSON logs, and analyze local.agentfiles. These operations are restricted to the local development environment and the authenticated Salesforce org. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface.
- Ingestion points: The skill retrieves production conversation messages and LLM prompt/response pairs from Salesforce Data Cloud DMOs (e.g.,
ssot__AiAgentInteractionMessage__dlm) for analysis. - Boundary markers: No specific boundary markers are applied when the agent processes retrieved conversation content, meaning malicious instructions in production traces could theoretically influence the agent's reasoning.
- Capability inventory: The skill has high-privilege capabilities, including editing agent configuration files and publishing changes to the live agent (
sf agent publish). - Sanitization: The Apex class uses
String.escapeSingleQuotes()to prevent SQL injection during Data Cloud queries, but it does not perform semantic sanitization of the conversation content it retrieves. This risk is inherent to the skill's primary purpose of analyzing external session data.
Audit Metadata