pica
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill documentation instructs the installation of a global Node.js package
@picahq/clifrom an untrusted source (not included in the whitelisted organizations/repositories). - [COMMAND_EXECUTION] (MEDIUM): The skill relies on and encourages the execution of multiple shell commands (
pica init,pica add,pica platforms) and manual modifications to the system PATH environment variable. - [DATA_EXFILTRATION] (MEDIUM): The skill's architecture routes all data from connected integrations (including sensitive platforms like Gmail, Stripe, and Slack) through a third-party 'passthrough proxy' at
app.picaos.com. While this is the intended purpose, it consolidates sensitive user data through a non-whitelisted external domain. - [PROMPT_INJECTION] (LOW): This skill exhibits a significant surface for Indirect Prompt Injection (Category 8).
- Ingestion points: Data is fetched from 200+ external apps via
execute_pica_actionandget_pica_action_knowledge. - Boundary markers: None identified in the provided skill instructions to separate untrusted platform data from agent instructions.
- Capability inventory: The skill has broad capabilities including reading/writing to external APIs and shell command execution.
- Sanitization: No evidence of input sanitization or validation of external content before processing.
Audit Metadata