pica-openai-agents
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references the installation of
@openai/agentsandzodvia package managers. These are established packages from a trusted organization (OpenAI) and well-known registries. - [COMMAND_EXECUTION]: The integration utilizes
MCPServerStdioto execute@picahq/mcpvianpx. This is the standard operational method for Model Context Protocol (MCP) servers and involves running a vendor-provided package as a local subprocess. - [PROMPT_INJECTION]: The skill facilitates the connection of an AI agent to external third-party services (CRMs, email, etc.) through PICA tools. This creates an inherent surface for indirect prompt injection, where data retrieved from these external sources could contain instructions designed to influence the agent's behavior.
- Ingestion points: Data from connected third-party integrations (CRMs, email, databases) enters the agent context via the MCP server.
- Boundary markers: The provided code snippets do not explicitly show the use of delimiters or 'ignore embedded instructions' prompts for external data.
- Capability inventory: The agent has capabilities to execute tools provided by the PICA MCP server, which may include reading or writing to external services.
- Sanitization: No explicit sanitization or filtering logic is provided in the integration examples.
Audit Metadata