clix-event-tracking
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill ingests data from a user-provided or repository-sourced event-plan.json to guide the agent in implementing tracking code. This creates an attack surface where malicious content in the JSON could influence the agent's code generation.\n
- Ingestion points: event-plan.json processed during the workflow in SKILL.md and scripts/validate-event-plan.sh.\n
- Boundary markers: Absent in the instruction templates.\n
- Capability inventory: The agent possesses file-writing capabilities to implement tracking code across multiple platforms (iOS, Android, etc.).\n
- Sanitization: The skill includes a dedicated validation script that enforces snake_case naming conventions via regex and restricts property types, providing strong protection for those specific fields. However, free-text fields like 'when' remain unvalidated.\n- Command Execution (LOW): The skill instructs the agent to execute a local shell script (scripts/validate-event-plan.sh). While the script is part of the skill's own package and performs benign validation logic using Python/Node, any shell execution by an agent is a finding that requires oversight.
Audit Metadata