gtm-linkedin-outreach
Pass
Audited by Gen Agent Trust Hub on Jul 3, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads and writes sensitive configuration, including API keys for outreach tools, within the project's
.envfile and.gtm-statedirectory. - Evidence: Instructions to store
LEMLIST_API_KEY,AMPLEMARKET_API_KEY, andLGM_API_KEYin${CURSOR_PLUGIN_ROOT}/.env. - Evidence: Reading and writing tool choices and rate limits to
${CURSOR_PLUGIN_ROOT}/.gtm-state/tools.json. - [EXTERNAL_DOWNLOADS]: The skill transmits data to external, well-known automation services to perform its primary outreach function.
- Evidence: Data is sent to Lemlist via
POST https://api.lemlist.com/api/campaigns/{{campaignId}}/leads. - Evidence: Connection attempts to
api.lemlist.com,docs.amplemarket.com, andapi-docs.lagrowthmachine.com. - [COMMAND_EXECUTION]: The skill executes shell commands to verify prerequisites and perform API operations.
- Evidence: Execution of
test -f sales-pack.mdto check for required files. - Evidence: Use of
curlto test API connectivity and send prospect data to remote endpoints. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from prospect CSVs and LinkedIn profiles, which is then interpolated into prompts for message drafting, creating a surface for indirect injection.
- Ingestion points: Reads from
prospects/*.csvand processes user-pasted LinkedIn profile About sections and posts. - Boundary markers: No specific delimiters or "ignore instructions" warnings are used around the interpolated data in the message templates.
- Capability inventory: The agent has the ability to write to the local file system (e.g.,
.env,.gtm-state/) and perform network requests viacurl. - Sanitization: No evidence of validation or sanitization of the prospect-provided text before it is processed by the model.
Audit Metadata