Skills
skills/phrazzld/claude-config/marketing-status/Gen Agent Trust Hub

marketing-status

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • REMOTE_CODE_EXECUTION (MEDIUM): The skill configures the @posthog/mcp-server using npx. Because 'posthog' is not on the trusted organization whitelist, this constitutes execution of unverifiable remote code.
  • EXTERNAL_DOWNLOADS (LOW): The skill references @stripe/mcp; as 'stripe' is a trusted organization, this download is considered low risk.
  • COMMAND_EXECUTION (LOW): CLI examples provided use curl and jq for manual data retrieval, which is standard for technical skills but requires caution.
  • PROMPT_INJECTION (LOW): Incurs risk of Indirect Prompt Injection (Category 8). 1. Ingestion points: PostHog and Stripe API responses (metrics, events). 2. Boundary markers: Absent in the dashboard template. 3. Capability inventory: curl, npx, and shell execution via CLI examples. 4. Sanitization: No sanitization or validation of the fetched data is described.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:26 PM