Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/clickup-hello-world/Gen Agent Trust Hub

clickup-hello-world

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: Secret Management: The skill correctly instructs the use of an environment variable ($CLICKUP_API_TOKEN) for API authentication, avoiding hardcoded credentials.
  • [SAFE]: Network Security: All network requests are directed to api.clickup.com, which is the official and well-known service domain for the ClickUp API.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface:
  • Ingestion points: The skill ingests data from the ClickUp API via curl commands in SKILL.md.
  • Boundary markers: No explicit markers or delimiters are used to wrap API response data in the context.
  • Capability inventory: The skill utilizes Bash(curl:*) to make network requests.
  • Sanitization: There is no evidence of sanitization or validation of the text data returned from ClickUp before it is integrated into the session context.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 01:02 AM
Security Audit — agent-trust-hub — clickup-hello-world