b2c-slas
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill guides the agent to construct shell commands using various user-supplied inputs such as tenant IDs, client IDs, and OAuth scopes. This represents an indirect prompt injection surface where unsanitized user input could potentially be used to achieve command injection during execution.- [CREDENTIALS_UNSAFE]: The documentation includes examples of passing sensitive authentication data, including shopper passwords and SLAS client secrets, directly as command-line arguments (e.g.,
--shopper-password secret). While this is a functional requirement of the tool, it is a practice that can expose secrets in process monitors or shell history.- [EXTERNAL_DOWNLOADS]: The skill suggests the use ofnpx @salesforce/b2c-clito execute the Salesforce B2C CLI. This command fetches the official package from the public npm registry, which is a well-known service provided by the vendor.
Audit Metadata