paperclip-board
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill performs its operations by executing
curlcommands via a bash shell. This is used for all API interactions, including creating agents, updating tasks, and fetching dashboards. - [EXTERNAL_DOWNLOADS]: The skill fetches data and configuration files from the Paperclip API (defined by the
PAPERCLIP_API_URLenvironment variable). This includes agent definitions, icon lists, and document content. - [DATA_EXPOSURE]: The skill accesses the
PAPERCLIP_API_KEYandPAPERCLIP_API_URLenvironment variables to authenticate and route its requests. This is standard behavior for a CLI-based management tool. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it reads and summarizes data from the API (such as 'Board Operations' logs and task comments) which could contain untrusted input. However, the instructions focus on summarization and there is no evidence of unsafe interpolation that would lead to immediate compromise.
Audit Metadata