pp-ankiweb

Pass

Audited by Gen Agent Trust Hub on Jun 15, 2026

Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the ankiweb-pp-cli tool via npx or go install from the vendor's repository. \n
  • npx -y @mvanhorn/printing-press-library install ankiweb --cli-only \n
  • go install github.com/mvanhorn/printing-press-library/library/education/ankiweb/cmd/ankiweb-pp-cli@latest \n- [CREDENTIALS_UNSAFE]: The skill provides mechanisms to access sensitive session cookies from the Chrome browser or environment variables to authenticate with the AnkiWeb service. \n
  • auth login --chrome \n
  • ANKIWEB_COOKIES environment variable \n- [DATA_EXFILTRATION]: The tool supports a --deliver webhook:<url> feature that allows the user or an agent to POST command results, which may include sensitive deck information, to an arbitrary external URL. It also includes a feedback mechanism that can send local data to an external endpoint if configured. \n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted content from the AnkiWeb shared deck catalog, such as deck titles, descriptions, and user reviews. \n
  • Ingestion points: Data enters the context via shared search, shared info, and decks command outputs. \n
  • Boundary markers: While output is structured in a JSON provenance envelope, there are no specific delimiters or instructions for the agent to ignore potentially malicious content within deck descriptions. \n
  • Capability inventory: The agent has the Read Bash tool and the ability to write output to local files or remote webhooks via the CLI flags. \n
  • Sanitization: No explicit sanitization or filtering of the retrieved AnkiWeb metadata is performed before it is presented to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 15, 2026, 01:15 AM
Security Audit — agent-trust-hub — pp-ankiweb