pp-arxiv
Warn
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
arxiv-pp-clitool vianpx -y @mvanhorn/printing-pressorgo install github.com/mvanhorn/printing-press-library/library/other/arxiv/cmd/arxiv-pp-cli@latest. These resources are hosted on public registries and GitHub repositories controlled by the vendor. - [DATA_EXFILTRATION]: The CLI tool includes a built-in output delivery system that supports a
webhook:<url>sink. This allows the agent to POST the results of any command to an arbitrary external endpoint. In an agentic environment, this capability could be used to exfiltrate local data or paper metadata to untrusted servers. - [COMMAND_EXECUTION]: The skill's core functionality relies on executing shell commands through the
arxiv-pp-cli. It includes features for managing local configuration profiles at~/.arxiv-pp-cli/and a natural language command resolution tool (which) that takes user-supplied strings. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted research paper metadata (titles, abstracts) from the arXiv API and possesses capabilities that can be used for secondary attacks.
- Ingestion points: Data enters the agent's context from the results of the
arxiv-pp-cli querycommand which fetches content from the public arXiv Atom API. - Boundary markers: No specific boundary markers or instructions to isolate external paper content from agent instructions are provided.
- Capability inventory: The skill has access to the
Bashtool and features network-based output delivery via webhooks. - Sanitization: The instructions do not describe any sanitization or validation of the metadata received from the API.
Audit Metadata