saas-spend-optimizer
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a data analysis utility that operates strictly on local files provided by the user. It does not perform any network operations, access sensitive system directories, or execute dynamic code.
- [PROMPT_INJECTION]: The skill processes external data from CSV files. There is a surface for indirect prompt injection because values from the CSV (such as vendor names) are included in the generated report without sanitization. This could be used to inject misleading information or markdown into the agent's output.
- Ingestion points: The
optimize.pyscript reads data from files specified by the--subsand--usageflags. - Boundary markers: The skill does not use specific delimiters to separate untrusted CSV content from the report structure.
- Capability inventory: The skill is limited to reading files and outputting text/JSON to the console.
- Sanitization: The script performs type conversion (float/int) for numeric fields but does not sanitize string fields before rendering them in the Markdown output.
Audit Metadata