pp-amazon-ads

Warn

Audited by Snyk on Jun 21, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime install commands that fetch-and-execute remote code required to run the CLI — e.g. "npx -y @mvanhorn/printing-press-library install amazon-ads --cli-only" and "go install github.com/mvanhorn/printing-press-library/library/commerce/amazon-ads/cmd/amazon-ads-pp-cli@latest" (and the analogous amazon-ads-pp-mcp go install), which are external module URLs run at install time and thus directly execute remote code the skill depends on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill exposes explicit APIs and CLI commands to create and update advertising budgets and budget rules, and includes mutation/apply modes that send updates (e.g., sponsored-brands-sb create-budget-rules-for-sbcampaigns, update-budget-rules-for-sbcampaigns; sponsored-display-sd create/update-budget-rules-for-sdcampaigns; sponsored-products-sp update-budget-rules-for-spcampaigns; commands like budget-rebalance --total-budget and automation --apply which perform mutations). These are not mere read-only reporting calls — they explicitly mutate ad spend configuration (directly changing budgets/rules), which meets the "Direct Financial Execution" criterion.

Issues (2)

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 21, 2026, 01:30 PM
Issues
2
Security Audit — snyk — pp-amazon-ads