gtm-get-better

Pass

Audited by Gen Agent Trust Hub on Jul 3, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the ingestion of untrusted external communications. It reads email replies and direct messages from files in the outreach-log/ directory to classify engagement performance.
  • Ingestion points: Untrusted content enters the agent's context from outreach-log/email-replies.jsonl (sourced from Gmail) and outreach-log/manual-replies.jsonl.
  • Boundary markers: No specific delimiters or "ignore embedded instructions" warnings are used when processing the text of these replies.
  • Capability inventory: The skill has the capability to write to local state files, append to the project's primary sales documentation (sales-pack.md), execute local CLI tools, and modify its own and other skill instruction files (SKILL.md).
  • Sanitization: There is no evidence of sanitization or filtering of the ingested message bodies before they are classified by the model.
  • [PROMPT_INJECTION]: In Step 8.5, the skill can modify its own instructions and the instructions of associated skills (e.g., gtm-x-outreach/SKILL.md) based on patterns extracted from untrusted external replies. While the process includes a guardrail requiring manual founder approval for each edit, a sophisticated attacker could craft replies designed to trick the model into recommending and applying malicious logic or insecure default templates to the agent's core skill files.
  • [COMMAND_EXECUTION]: The skill is instructed to execute the /gtm-cold-email --check-replies command. This is a local command execution that facilitates communication with an external API (Gmail) to retrieve fresh outreach data. This tool appears to be a legitimate part of the vendor's application suite.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 3, 2026, 05:53 PM
Security Audit — agent-trust-hub — gtm-get-better