clickup-hello-world
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill utilizes environment variables (CLICKUP_API_TOKEN) for authentication, avoiding the risk of hardcoded credentials.
- [SAFE]: Network operations are directed to the official and well-known ClickUp API domain (api.clickup.com).
- [PROMPT_INJECTION]: The skill processes external data from ClickUp API responses, which represents a surface for indirect prompt injection. This is a standard characteristic of API-based skills. 1. Ingestion points: API responses from api.clickup.com in SKILL.md. 2. Boundary markers: None present. 3. Capability inventory: Bash, Write, Edit, Read. 4. Sanitization: No explicit validation of external API content.
Audit Metadata