outreach-sequence-builder
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to verify environment variables (
GEMINI_API_KEY,COMPOSIO_API_KEY) and the existence of local documentation files. It usescurlto send data to the Google Gemini API and a Python one-liner to parse the JSON response. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to
generativelanguage.googleapis.com(Google Gemini API). It also references an installation command usingnpxfrom the@opendirectory.devregistry, which is the official namespace for the skill's authoring platform. - [DATA_EXFILTRATION]: Business context, including target personas and account details retrieved from
docs/icp.mdand account-specific markdown files, is sent to the external Google Gemini API. This is the intended core functionality for personalizing the outreach messages. - [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from local markdown files and interpolates it into the prompt sent to the LLM.
- Ingestion points: Content from
docs/icp.mdanddocs/accounts/*.mdis loaded and used to construct the final API request. - Boundary markers: There are no explicit delimiters or 'ignore' instructions implemented to isolate the ingested file content from the system instructions in the prompt template.
- Capability inventory: The skill has access to network operations (
curl), local execution (python3), and file system writes (cat,mkdir), which could be abused if an attacker can influence the files read by the skill. - Sanitization: No validation or escaping is performed on the content of the markdown files before processing.
Audit Metadata