uptime-kuma
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a Python script located at
scripts/kuma.pyto interact with the Uptime Kuma API. It supports various operations including status checks, listing monitors, and administrative tasks like adding or deleting monitors. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
uptime-kuma-apiPython package from a standard registry. This is a well-known library used for programmatic access to Uptime Kuma instances. - [CREDENTIALS_UNSAFE]: The setup instructions advise users to configure
UPTIME_KUMA_USERNAMEandUPTIME_KUMA_PASSWORDas environment variables. While this is a common practice for CLI tools, it involves handling sensitive authentication data. - [PROMPT_INJECTION]: As the skill ingests data from a remote Uptime Kuma server (such as monitor names, tags, and status history), it presents an indirect prompt injection surface.
- Ingestion points: Data is retrieved from the configured
UPTIME_KUMA_URLduring commands likestatus,list, andget(documented in SKILL.md). - Boundary markers: None identified; retrieved data is likely interpolated directly into the agent's context.
- Capability inventory: The skill has the ability to perform write operations (add, delete, pause, resume monitors) via
scripts/kuma.py. - Sanitization: No explicit sanitization of the remote server data is described in the provided configuration.
Audit Metadata