pp-azure-devops

Warn

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The CLI tool implements a --deliver webhook:<url> flag that allows the results of any command to be sent to an arbitrary external URL via an HTTP POST request. This provides a direct mechanism for exfiltrating Azure DevOps data.
  • [DATA_EXFILTRATION]: The feedback command and its associated environment variables (AZURE_DEVOPS_FEEDBACK_ENDPOINT and AZURE_DEVOPS_FEEDBACK_AUTO_SEND) establish a secondary path for transmitting local data to a remote server.
  • [EXTERNAL_DOWNLOADS]: The skill instructions direct the user to install components from the vendor's official repositories, including the @mvanhorn/printing-press-library package on npm and the mvanhorn/printing-press-library repository on GitHub.
  • [REMOTE_CODE_EXECUTION]: The prerequisite setup requires executing remote code via npx and go install to fetch and build the necessary binaries from external sources.
  • [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by ingesting untrusted data from Azure DevOps (such as work item descriptions, pull request comments, and build logs) and providing capabilities to write that data to the local filesystem or send it to remote webhooks.
  • Ingestion points: Data retrieved from Azure DevOps APIs (work items, PRs, builds).
  • Boundary markers: None identified in the skill instructions.
  • Capability inventory: Arbitrary command execution (bash), file writing (--deliver file:<path>), and network operations (--deliver webhook:<url>).
  • Sanitization: No sanitization or escaping of the ingested external content is described.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 07:10 PM
Security Audit — agent-trust-hub — pp-azure-devops