israeli-bank-connector
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted merchant descriptions from bank statements and presents them to the AI agent.
- Ingestion points: Transaction data enters the system through the
scripts/categorize_transactions.pyscript, which accepts JSON input via the--jsoncommand-line argument. - Boundary markers: The instructions and script do not implement boundary markers or delimiters (such as XML tags or explicit 'ignore' warnings) to isolate external merchant data from the agent's instructions.
- Capability inventory: The categorization script (
scripts/categorize_transactions.py) does not contain dangerous capabilities; it relies on standard Python libraries (re,json,argparse) and does not perform file writes, network calls, or subprocess execution. - Sanitization: No sanitization, escaping, or filtering is performed on the merchant description strings before they are processed by regex or included in the spending analysis summary generated for the agent.
Audit Metadata