skills/tuanductran/hr-skills/hr-kpi/Gen Agent Trust Hub

hr-kpi

Pass

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: SAFENO_CODEPROMPT_INJECTION
Full Analysis
  • [NO_CODE]: The skill consists entirely of Markdown documentation and prompt templates. There are no scripts, binaries, or executable components that could perform unauthorized actions on the host system.
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because it instructs the agent to ingest and analyze untrusted external data (user-provided HR records) without implementing security best practices.
  • Ingestion points: SKILL.md (Workflows 1, 3, 4) and examples/building-an-hr-kpi-dashboard-for-a-growing-tech-company.md (Step 6) explicitly prompt the user to paste raw workforce data for analysis.
  • Boundary markers: Absent. The templates do not use delimiters (e.g., XML tags or triple backticks) or provide instructions for the agent to ignore any natural language instructions that might be embedded within the pasted data fields.
  • Capability inventory: The skill facilitates data analysis, mathematical calculations, and the generation of narrative reports or action plans within the chat session.
  • Sanitization: No validation or sanitization logic is provided to handle potentially malicious input in the data processing workflows.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 7, 2026, 02:48 AM
Security Audit — agent-trust-hub — hr-kpi