pachca-security
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the official '@pachca/cli' package from the NPM registry via 'npx' and suggests global installation using 'npm'. These resources are legitimate tools provided by the vendor 'pachca'.
- [COMMAND_EXECUTION]: Executes multiple shell commands using 'npx' and the 'pachca' CLI to fetch security audit events, check authentication status, and create messages. These operations are within the scope of security administration.
- [DATA_EXFILTRATION]: Handles Pachca API tokens using environment variables and command-line arguments. The skill also facilitates the export of audit logs to external systems, which is the primary intended use-case and is performed via authenticated vendor tools.
- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection through the ingestion of external audit log data.
- Ingestion points: Output from 'pachca security list' command (SKILL.md).
- Boundary markers: None present.
- Capability inventory: Bash execution (npx, npm, pachca) and message creation.
- Sanitization: None documented for the processing of log entries.
Audit Metadata