event-lead-enrichment
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from external lead CSV files, which are then used to inform the agent's actions and reporting.\n
- Ingestion points: Raw lead CSV files (e.g., booth scans) provided by the user, specifically the 'Notes' field which is processed for lead scoring and summarized in the final output as described in SKILL.md and implemented in scripts/build_enriched.py.\n
- Boundary markers: The skill lacks explicit boundary markers or delimiters to isolate untrusted lead data from the system instructions in the agent's context.\n
- Capability inventory: The skill possesses significant capabilities, including executing shell commands (python3), querying organizational data via commonroom_list_objects, and modifying event records via manage_events.\n
- Sanitization: While the Python scripts perform data normalization and keyword matching, they do not provide sanitization against prompt injection, allowing potentially malicious content in the CSV to reach the agent's reasoning process.\n- [COMMAND_EXECUTION]: The skill executes local Python scripts provided in the package to handle data processing and Excel workbook generation.\n
- Evidence: SKILL.md directs the agent to run scripts/build_enriched.py and scripts/build_combined.py using python3, passing parameters that include user-supplied file paths.
Audit Metadata