triggers
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill defines various triggers (Email, Http, WebSocket, Kafka, NATS, Postgres, MQTT, SQS, GCP, Azure) that ingest data from external, potentially untrusted sources. This creates a surface for indirect prompt injection where an attacker could embed malicious instructions in a trigger payload (such as an email body or webhook message) to influence the agent's behavior.
- Ingestion points: Untrusted data enters the agent's context through fields like
parsed_email,raw_email, and various message payloads defined in the trigger schemas (SKILL.md). - Boundary markers: The instructions lack explicit delimiters or guidance for the agent to treat trigger-supplied data as untrusted or to ignore embedded instructions.
- Capability inventory: The skill enables the agent to execute scripts or flows (
script_path), interact with S3 object storage via thewmillSDK, and run CLI commands (wmill sync push). - Sanitization: There are no instructions for sanitizing, escaping, or validating the content of the incoming trigger data before processing.
- [COMMAND_EXECUTION]: The skill documents the use of
wmill sync pushandwmill sync pullCLI commands. The instructions include a safety warning, advising the agent to only run the destructivepushcommand when explicitly requested by the user, which mitigates the risk of accidental execution.
Audit Metadata