skills/jeremylongshore/claude-code-plugins-plus-skills/clickup-deploy-integration/Gen Agent Trust Hub
clickup-deploy-integration
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill correctly instructs users to manage sensitive information using platform-native tools such as Vercel Environment Variables, Fly.io Secrets, and Google Cloud Secret Manager, ensuring credentials like the CLICKUP_API_TOKEN are handled securely.
- [SAFE]: Outbound network activity in the provided code snippets is restricted to the official ClickUp API (api.clickup.com), which is a well-known service.
- [PROMPT_INJECTION]: The skill defines templates for handling external data via webhooks and API parameters. While standard for SaaS integrations, this represents a potential surface for indirect prompt injection if untrusted data from these sources is later processed by the agent. * Ingestion points: api/webhooks/clickup.ts (request body) and api/clickup/tasks.ts (URL query parameters). * Boundary markers: None explicitly defined in the provided code snippets. * Capability inventory: The skill utilizes Read, Write, Edit, and platform-specific Bash tools. * Sanitization: The provided examples perform basic presence checks but do not include comprehensive input sanitization or schema validation.
Audit Metadata