plain-support
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill ingests untrusted data from customer support threads and help center content. This creates an attack surface where an attacker can embed malicious instructions in a message or article to influence the agent's actions. 1. Ingestion points:
thread timeline,thread get,customer search, andhelpcenter article get. 2. Boundary markers: Not identified; the skill documentation does not mention delimiters or instructions to ignore embedded commands. 3. Capability inventory: The skill can execute bash scripts (scripts/plain-api.sh), read local files (--text-file,--content-file), and write data back to the Plain API (adding notes or updating articles). 4. Sanitization: No evidence of input sanitization or filtering of customer-provided content. - [Data Exposure] (SAFE): The skill requires the
PLAIN_API_KEYenvironment variable. This is a secure method for handling credentials compared to hardcoding them. No sensitive local file paths are accessed by default. - [Command Execution] (SAFE): Usage of
curlandjqvia a local script is consistent with the stated purpose of interacting with the Plain GraphQL API.
Audit Metadata