clippy
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to clone and install code from a third-party GitHub repository (
https://github.com/foeken/clippy.git) that is not listed as a trusted organization or well-known service. - [REMOTE_CODE_EXECUTION]: Following the download, the skill executes the remote code using
bun run src/cli.ts, which runs unverified TypeScript source code directly. - [COMMAND_EXECUTION]: The skill facilitates the execution of various system commands via the
clippybinary to manage Microsoft 365 data, including file system operations like downloading attachments (clippy mail -d). - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external sources (emails and calendar events) and possesses powerful capabilities.
- Ingestion points: Data enters the context through
clippy mail(reading emails) andclippy calendar(viewing events) as described inSKILL.md. - Boundary markers: No specific delimiters or instructions to ignore embedded commands are present in the skill's instructions.
- Capability inventory: The skill can perform sensitive actions including
clippy send(sending emails),clippy delete-event(deleting calendar data), andclippy mail -d(writing files to the disk). - Sanitization: There is no evidence of sanitization or filtering of the external content before it is processed by the agent.
- [PERSISTENCE_MECHANISMS]: The documentation explicitly recommends establishing persistence on the host operating system by setting up
launchd(macOS) orsystemd(Linux) services to maintain a background browser session for the CLI tool.
Recommendations
- AI detected serious security threats
Audit Metadata