pp-art-goat
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the
art-goat-pp-clibinary usingnpxfrom the@mvanhorn/printing-press-librarypackage and viago installfrom thegithub.com/mvanhornrepository. These sources are directly associated with the skill's author and vendor context. - [COMMAND_EXECUTION]: The skill operates by executing shell commands via
art-goat-pp-clito interact with museum data, manage a local journal, and search collections. - [DATA_EXFILTRATION]: The tool includes a
--deliver webhook:<url>feature, which allows the output of any command to be POSTed to an external URL. Additionally, a feedback mechanism exists that can send data to a remote endpoint if explicitly enabled by the user via environment variables. - [INDIRECT_PROMPT_INJECTION]: The skill has an ingestion surface for external data, as it fetches content from various museum APIs (AIC, MET, NASA, Smithsonian, etc.) and processes it for display. This ingestion is a standard part of the tool's intended functionality.
Audit Metadata