aps-doc-ingestion
Warn
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill requires mandatory access to codebase directories and configuration files (e.g.,
.dig,.yml,datasources.yml). It is instructed to extract and document real system details, including JDBC connection strings, endpoint URLs, and cloud storage bucket paths. - [CREDENTIALS_UNSAFE]: The agent is explicitly tasked with detecting and documenting authentication credentials, including usernames, passwords, API keys, and service account tokens. The instruction to use 'real, extracted data' and avoid generic placeholders significantly increases the risk of exposing sensitive secrets in the generated documentation output.
- [PROMPT_INJECTION]: The skill allows the ingestion of external documentation templates via user-provided URLs (e.g., Confluence links). This represents an indirect prompt injection surface as the agent is instructed to follow the structure of the provided link without explicit sanitization or boundary markers to prevent the remote content from overriding its behavior.
- Ingestion points: Workflow files (
.dig), configuration files (.yml), and user-provided template URLs. - Boundary markers: Absent; no delimiters or warnings to ignore instructions within the processed files are specified.
- Capability inventory: File system access for scanning and reading, and text generation for documentation.
- Sanitization: Largely absent; while one section mentions documenting OAuth 'securely,' other instructions explicitly command the documentation of usernames and passwords.
Audit Metadata