pp-azure-devops
Warn
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The CLI tool implements a
--deliver webhook:<url>flag that allows the results of any command to be sent to an arbitrary external URL via an HTTP POST request. This provides a direct mechanism for exfiltrating Azure DevOps data. - [DATA_EXFILTRATION]: The
feedbackcommand and its associated environment variables (AZURE_DEVOPS_FEEDBACK_ENDPOINTandAZURE_DEVOPS_FEEDBACK_AUTO_SEND) establish a secondary path for transmitting local data to a remote server. - [EXTERNAL_DOWNLOADS]: The skill instructions direct the user to install components from the vendor's official repositories, including the
@mvanhorn/printing-press-librarypackage on npm and themvanhorn/printing-press-libraryrepository on GitHub. - [REMOTE_CODE_EXECUTION]: The prerequisite setup requires executing remote code via
npxandgo installto fetch and build the necessary binaries from external sources. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by ingesting untrusted data from Azure DevOps (such as work item descriptions, pull request comments, and build logs) and providing capabilities to write that data to the local filesystem or send it to remote webhooks.
- Ingestion points: Data retrieved from Azure DevOps APIs (work items, PRs, builds).
- Boundary markers: None identified in the skill instructions.
- Capability inventory: Arbitrary command execution (bash), file writing (
--deliver file:<path>), and network operations (--deliver webhook:<url>). - Sanitization: No sanitization or escaping of the ingested external content is described.
Audit Metadata