Skills
skills/pachca/openapi/pachca-forms/Gen Agent Trust Hub

pachca-forms

Pass

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool with curl to interact with the official Pachca API at https://api.pachca.com/api/shared/v1. This is the primary method for opening views and managing form interactions.
  • [PROMPT_INJECTION]: An indirect prompt injection surface is identified as the skill processes external data originating from user interactions with the forms.
  • Ingestion points: The data field within the view_submission webhook payload (referenced in SKILL.md) contains arbitrary user input.
  • Boundary markers: No specific delimiters or instructions to ignore embedded commands within the form data are implemented.
  • Capability inventory: The skill has access to the Bash(curl *) tool to make network requests.
  • Sanitization: The skill description does not specify any sanitization or validation of the values received in the data field before they are processed or used in subsequent API calls.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 7, 2026, 03:34 PM