Skills
AGENT LAB: SKILLS
skills/him0/freee-mcp/freee-api-skill/Gen Agent Trust Hub

freee-api-skill

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • External Downloads (MEDIUM): The skill instructions depend on the @him0/freee-mcp package hosted on npm. This package and its author are not part of the pre-approved trusted sources list, posing a supply-chain risk.
  • Command Execution (MEDIUM): The setup process involves running npx @him0/freee-mcp configure, which performs a remote download and execution of code in the user's terminal to initialize the MCP server.
  • Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection due to its architecture:
  • Ingestion points: Data is pulled from the freee API via freee_api_get (e.g., transaction descriptions, employee notes).
  • Boundary markers: There are no delimited prompts or 'ignore embedded instructions' warnings for the agent when processing API results.
  • Capability inventory: The skill provides tools for writing and deleting data (freee_api_post, freee_api_put, freee_api_delete), allowing an attacker who can influence API data (e.g., via a shared transaction) to potentially trigger unintended actions.
  • Sanitization: No evidence of sanitization or validation of the ingested API content is present in the provided documentation.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 05:06 PM