pp-coffee-goat
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of external binaries from vendor-controlled resources.
- Downloads and executes code via
npx -y @mvanhorn/printing-press-library. - Installs Go binaries from
github.com/mvanhorn/printing-press-library/library/food-and-dining/coffee-goat/cmd/. - [COMMAND_EXECUTION]: The skill instructs the agent to execute the
coffee-goat-pp-clibinary with various arguments to manage local databases and query remote sources. It allows broad shell access via theRead Bashtool requirement. - [DATA_EXFILTRATION]: The CLI includes a
--deliver webhook:<url>feature that allows the agent to POST command results to an arbitrary external URL. This creates a surface for exfiltrating local data such as brew logs, cellar inventory, and palate profiles. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted third-party data from roaster catalogs and YouTube transcripts.
- Ingestion points: Data entering the agent context via
search,transcript-search, andcreator-reviewsubcommands (SKILL.md). - Boundary markers: The CLI uses a JSON response envelope (including
metaandresultsfields) to separate metadata from content. - Capability inventory: The
coffee-goat-pp-clitool can perform network requests (webhooks) and write to the local file system. - Sanitization: No explicit validation or filtering of external content is mentioned before it is presented to the agent.
Audit Metadata