pachca-messages
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill uses the official @pachca/cli package to interact with the Pachca messaging API. This is a standard and safe practice for platform-specific tools where the code is authored by the service provider.- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the @pachca/cli tool via npm or use it via npx. These are verified vendor resources hosted on the public NPM registry.- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by retrieving and displaying message history and member lists. However, this functionality is necessary for its primary purpose, and there are no signs of exploitable high-privilege capabilities or malicious intent.
- Ingestion points: SKILL.md (pachca messages list, pachca messages get), references/mention-user-by-name.md (pachca members list)
- Boundary markers: Absent
- Capability inventory: SKILL.md (pachca messages create, pachca messages update, pachca messages delete, pachca upload, pachca messages pin), references/send-message-with-files.md (pachca upload)
- Sanitization: Absent
Audit Metadata