b2c-cap
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: Uses the
b2cCLI tool (or@salesforce/b2c-clivia npx) to perform commerce operations, including listing, pulling, validating, and installing packages on B2C Commerce instances. - [EXTERNAL_DOWNLOADS]: References the official
@salesforce/b2c-cliNode.js package, which is a trusted vendor resource provided for Salesforce development. - [CREDENTIALS_UNSAFE]: The skill documents the use of the
b2c setup inspect --unmaskcommand, which reveals sensitive configuration details and secrets retrieved from environment variables or local files likedw.jsonand~/.mobify. This is an intended feature of the vendor's CLI for configuration debugging and auditing. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by processing Commerce App Packages (CAPs) originating from external B2C instances or local file uploads.
- Ingestion points: Remote B2C instances (via
list,pull, andtaskscommands) and local file system (viavalidate,package, andinstallcommands). - Capability inventory: Shell command execution via the
b2cCLI tool, which is capable of network requests and file system modifications. - Boundary markers: None described in the skill instructions; external content is processed directly by the CLI.
- Sanitization: Relies on the CLI tool's internal validation logic for package content and structure.
Audit Metadata