pica-claude-agents
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the user to run '@picahq/mcp' via 'npx'. This downloads code from the npm registry at runtime, introducing a supply chain risk from an unverified source.
- [COMMAND_EXECUTION] (MEDIUM): A local subprocess is executed via the 'npx' command to host the MCP server using stdio transport.
- [DATA_EXFILTRATION] (LOW): The implementation spreads the entire 'process.env' object to the PICA subprocess. This can leak unrelated secrets (such as AWS keys or database credentials) to the external PICA service if they are present in the host environment.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it ingests tool outputs from 'mcpClient.callTool()' and interpolates them directly into the conversation history without sanitization or boundary markers. Evidence Chain: 1. Ingestion point: mcpClient.callTool() in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: mcpClient.callTool() (subprocess exec) and anthropic.messages.create() (network). 4. Sanitization: Absent.
- [SAFE] (SAFE): Automated scanner alerts for 'Anthropic.Tool.In' and 'tool.in' are confirmed false positives triggered by legitimate TypeScript type names (Anthropic.Tool.InputSchema) in the Anthropic SDK.
Recommendations
- Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata