pp-amazon-ads
Warn
Audited by Snyk on Jun 21, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime install commands that fetch-and-execute remote code required to run the CLI — e.g. "npx -y @mvanhorn/printing-press-library install amazon-ads --cli-only" and "go install github.com/mvanhorn/printing-press-library/library/commerce/amazon-ads/cmd/amazon-ads-pp-cli@latest" (and the analogous amazon-ads-pp-mcp go install), which are external module URLs run at install time and thus directly execute remote code the skill depends on.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill exposes explicit APIs and CLI commands to create and update advertising budgets and budget rules, and includes mutation/apply modes that send updates (e.g., sponsored-brands-sb create-budget-rules-for-sbcampaigns, update-budget-rules-for-sbcampaigns; sponsored-display-sd create/update-budget-rules-for-sdcampaigns; sponsored-products-sp update-budget-rules-for-spcampaigns; commands like budget-rebalance --total-budget and automation --apply which perform mutations). These are not mere read-only reporting calls — they explicitly mutate ad spend configuration (directly changing budgets/rules), which meets the "Direct Financial Execution" criterion.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata