ucp-setup
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches SDKs, sample code, and specification guidelines from the Universal-Commerce-Protocol GitHub repositories and official documentation domains.
- [COMMAND_EXECUTION]: Instructs the agent to perform package installations using Python's
pipand Node.js'snpm, including a community-contributed Python package. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it directs the agent to fetch and interpret untrusted data from external websites and repositories to guide the scaffolding process.
- Ingestion points: Remote URLs (including ucp.dev, github.com, and developers.google.com) are accessed via
WebFetchandWebSearchto retrieve READMEs and specifications. - Boundary markers: The instructions lack explicit delimiters or warnings to the agent to treat fetched content as data rather than instructions.
- Capability inventory: The skill allows for file system modifications (
Write,Edit) and shell command execution (Bash). - Sanitization: There is no defined process for validating or sanitizing the content retrieved from remote sources before it influences the agent's code generation or execution steps.
Audit Metadata