weekly-kpi-report
Pass
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
bashtool to execute thedatecommand for dynamic calculation of the reporting window (Monday 00:00 to current time). This is a safe and standard implementation for ensuring time-accurate reporting without hardcoding dates. - [DATA_EXPOSURE]: The skill retrieves business performance metrics, such as dial counts, meeting bookings, and pipeline values, along with internal system identifiers (HubSpot owner IDs, Nooks user IDs). This data access is limited to the defined scope of the weekly KPI report.
- [DATA_EXFILTRATION]: Quantitative reports are delivered via Slack DM to a hardcoded internal recipient ID and saved to local files. The use of a well-known service like Slack for internal business reporting is consistent with the skill's stated purpose and does not represent unauthorized exfiltration.
- [PROMPT_INJECTION]: The skill ingests data from HubSpot (deals) and Nooks (call dispositions). However, the logic focuses on quantitative aggregation (summing amounts, counting records) rather than processing untrusted natural language, which mitigates the risk of indirect prompt injection.
Audit Metadata