gtm-get-better
Pass
Audited by Gen Agent Trust Hub on Jul 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the ingestion of untrusted external communications. It reads email replies and direct messages from files in the
outreach-log/directory to classify engagement performance. - Ingestion points: Untrusted content enters the agent's context from
outreach-log/email-replies.jsonl(sourced from Gmail) andoutreach-log/manual-replies.jsonl. - Boundary markers: No specific delimiters or "ignore embedded instructions" warnings are used when processing the text of these replies.
- Capability inventory: The skill has the capability to write to local state files, append to the project's primary sales documentation (
sales-pack.md), execute local CLI tools, and modify its own and other skill instruction files (SKILL.md). - Sanitization: There is no evidence of sanitization or filtering of the ingested message bodies before they are classified by the model.
- [PROMPT_INJECTION]: In Step 8.5, the skill can modify its own instructions and the instructions of associated skills (e.g.,
gtm-x-outreach/SKILL.md) based on patterns extracted from untrusted external replies. While the process includes a guardrail requiring manual founder approval for each edit, a sophisticated attacker could craft replies designed to trick the model into recommending and applying malicious logic or insecure default templates to the agent's core skill files. - [COMMAND_EXECUTION]: The skill is instructed to execute the
/gtm-cold-email --check-repliescommand. This is a local command execution that facilitates communication with an external API (Gmail) to retrieve fresh outreach data. This tool appears to be a legitimate part of the vendor's application suite.
Audit Metadata