pp-anylist
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to install the
anylist-pp-clitool usingnpxorgo install. These downloads originate from the author's own npm package (@mvanhorn/printing-press) and GitHub repository (github.com/mvanhorn/printing-press-library), representing standard installation procedures for the utility. - [COMMAND_EXECUTION]: The skill is designed to execute shell commands using the
anylist-pp-clibinary via theRead Bashtool. This is the primary functionality of the skill, used to query and update AnyList data such as grocery items and meal plans. - [CREDENTIALS_UNSAFE]: The documentation mentions that the CLI stores AnyList authentication tokens in a local configuration file at
~/.config/anylist-pp-cli/config.toml. The skill does not contain hardcoded secrets or instruct the agent to handle credentials in an unsafe manner. - [DATA_EXFILTRATION]: The CLI includes a
--deliver webhook:<url>flag that allows command output to be POSTed to a specified URL. While intended for legitimate automation workflows (e.g., triggering external webhooks), this represents a potential path for data delivery to external endpoints if used improperly.
Audit Metadata