pp-ankiweb
Pass
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
ankiweb-pp-clitool vianpxorgo installfrom the vendor's repository. \n npx -y @mvanhorn/printing-press-library install ankiweb --cli-only\ngo install github.com/mvanhorn/printing-press-library/library/education/ankiweb/cmd/ankiweb-pp-cli@latest\n- [CREDENTIALS_UNSAFE]: The skill provides mechanisms to access sensitive session cookies from the Chrome browser or environment variables to authenticate with the AnkiWeb service. \nauth login --chrome\nANKIWEB_COOKIESenvironment variable \n- [DATA_EXFILTRATION]: The tool supports a--deliver webhook:<url>feature that allows the user or an agent to POST command results, which may include sensitive deck information, to an arbitrary external URL. It also includes a feedback mechanism that can send local data to an external endpoint if configured. \n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted content from the AnkiWeb shared deck catalog, such as deck titles, descriptions, and user reviews. \n- Ingestion points: Data enters the context via
shared search,shared info, anddeckscommand outputs. \n - Boundary markers: While output is structured in a JSON provenance envelope, there are no specific delimiters or instructions for the agent to ignore potentially malicious content within deck descriptions. \n
- Capability inventory: The agent has the
Read Bashtool and the ability to write output to local files or remote webhooks via the CLI flags. \n - Sanitization: No explicit sanitization or filtering of the retrieved AnkiWeb metadata is performed before it is presented to the agent.
Audit Metadata