Skills
skills/statsig-io/agent-skills/statsig-create-cloud-metric/Gen Agent Trust Hub

statsig-create-cloud-metric

Pass

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to construct and execute curl commands to interact with the Statsig Console API at statsigapi.net. This is a standard and expected behavior for interacting with the vendor's infrastructure.
  • [PROMPT_INJECTION]: The skill is subject to indirect prompt injection because it incorporates user-provided data (e.g., metric names, event definitions, and filters) into API requests.
  • Ingestion points: SKILL.md (Metric name, event definitions, and filter criteria inputs).
  • Boundary markers: Absent; there are no explicit instructions for the agent to ignore instructions embedded within the user data.
  • Capability inventory: curl command execution is defined in SKILL.md and references/create-metric-api.md.
  • Sanitization: The skill recommends using shell heredoc syntax (<<'JSON') in the curl templates to safely handle payloads that might contain single quotes or other shell-sensitive characters, which mitigates simple command injection risks.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 11, 2026, 11:32 AM