gtm-brain-skill
Warn
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill's primary function is to read sensitive business data from local MCPs (HubSpot and Nooks) and exfiltrate it to an external Neo4j Aura database instance (
23a749c7.databases.neo4j.io). While this is the stated purpose of the 'GTM Brain', it represents a significant movement of potentially private organizational data to a third-party hosted service. - [COMMAND_EXECUTION]: The skill heavily relies on shell command execution to interface with the graph database via a local Python script (
brain.py). The instructions direct the agent to execute complex command-line strings that include raw Cypher queries and JSON blobs, which increases the risk of accidental or malicious command injection if inputs are not strictly validated. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It ingests untrusted data from external CRM tools (specifically call notes from Nooks and contact information from HubSpot) and uses this data to construct Cypher queries and provide context for the agent. An attacker with control over HubSpot or Nooks records could insert malicious instructions or Cypher fragments that the agent might inadvertently execute or follow.
- Ingestion points: Data enters through
hubspot_search_contacts(HubSpot MCP) andlistCalls(Nooks MCP) in Stage 6 and Stage 7 of theSKILL.mdfile. - Boundary markers: No explicit delimiters or boundary markers are used to separate external data from system instructions.
- Capability inventory: The skill possesses the capability to execute arbitrary Cypher queries and write to the local file system (outcome sidecar) via
scripts/brain.py. - Sanitization: There is no evidence of sanitization or escaping of external content before it is interpolated into shell commands or Cypher queries.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
neo4jPython library. While Neo4j is a well-known service, the installation occurs during the setup phase from a public registry (PyPI).
Audit Metadata