investment-decision-report
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill primarily consists of markdown templates for structured financial reporting. No malicious commands, obfuscated content, or unauthorized network operations were found.
- [DATA_EXPOSURE]: The skill accesses '../../CLAUDE.md' to retrieve organizational approval thresholds and IRR requirements. This is documented as a legitimate functional requirement for the skill's stated purpose of determining decision levels.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface by aggregating data from external calculation tools. 1. Ingestion points: Summarizes results from external calculation tools (NPV, IRR, etc.). 2. Boundary markers: Absent. 3. Capability inventory: No dangerous capabilities (subprocess, eval, or network access) are present in the skill scripts. 4. Sanitization: Absent. The risk is considered negligible as the skill lacks execution or network capabilities to exfiltrate data.
Audit Metadata