basecamp-cli
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill exposes a large attack surface for indirect prompt injection because it ingests untrusted data from the Basecamp 4 API and provides the agent with high-privilege write capabilities.
- Ingestion points: Untrusted data enters the agent context through tools that retrieve projects, messages, todos, and chat lines (e.g.,
basecamp_list_todos,basecamp_get_message,basecamp_list_campfires). - Boundary markers: There are no evident boundary markers or delimiters used to wrap external content when it is returned to the agent, increasing the risk that the agent may interpret data as instructions.
- Capability inventory: The skill includes 76 tools with significant side effects, including the ability to delete or archive project resources and manage webhooks (e.g.,
basecamp_delete_todo,basecamp_archive_project,basecamp_delete_webhook). - Sanitization: No sanitization or filtering logic was found to strip or escape potentially malicious instructions embedded in the HTML/text content fetched from Basecamp.
- Data Exposure & Exfiltration (LOW): While the skill manages OAuth tokens, it employs responsible security practices.
- Evidence: Tokens are stored locally using AES-256-CBC encryption with a machine-specific key (
src/lib/config.ts). - Evidence: Sensitive client secrets are never stored in the configuration file and are required to be provided via environment variables (
BASECAMP_CLIENT_SECRET).
Recommendations
- AI detected serious security threats
Audit Metadata