pp-art-goat

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the art-goat-pp-cli binary using npx from the @mvanhorn/printing-press-library package and via go install from the github.com/mvanhorn repository. These sources are directly associated with the skill's author and vendor context.
  • [COMMAND_EXECUTION]: The skill operates by executing shell commands via art-goat-pp-cli to interact with museum data, manage a local journal, and search collections.
  • [DATA_EXFILTRATION]: The tool includes a --deliver webhook:<url> feature, which allows the output of any command to be POSTed to an external URL. Additionally, a feedback mechanism exists that can send data to a remote endpoint if explicitly enabled by the user via environment variables.
  • [INDIRECT_PROMPT_INJECTION]: The skill has an ingestion surface for external data, as it fetches content from various museum APIs (AIC, MET, NASA, Smithsonian, etc.) and processes it for display. This ingestion is a standard part of the tool's intended functionality.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 09:20 PM
Security Audit — agent-trust-hub — pp-art-goat