Skills
skills/pachca/openapi/pachca-forms/Gen Agent Trust Hub

pachca-forms

Pass

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx @pachca/cli to fetch and execute the vendor's official command-line tool from the npm registry.
  • [COMMAND_EXECUTION]: Uses Bash commands (pachca, npx) to perform API operations such as creating messages, opening form views, and managing tasks.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its handling of external data.
  • Ingestion points: Processes webhook event data including trigger_id, callback_id, and form submission content (data) as described in SKILL.md and references/handle-form-submission-viewsubmission.md.
  • Boundary markers: No boundary markers or instructions to disregard embedded commands were found in the provided templates.
  • Capability inventory: The skill possesses the capability to execute shell commands (pachca views open, pachca messages create, etc.) that incorporate data from external sources.
  • Sanitization: There is no evidence of input validation or sanitization being performed on the webhook data before it is used in CLI command arguments.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 17, 2026, 02:43 AM