pp-coffee-goat

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of external binaries from vendor-controlled resources.
  • Downloads and executes code via npx -y @mvanhorn/printing-press-library.
  • Installs Go binaries from github.com/mvanhorn/printing-press-library/library/food-and-dining/coffee-goat/cmd/.
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute the coffee-goat-pp-cli binary with various arguments to manage local databases and query remote sources. It allows broad shell access via the Read Bash tool requirement.
  • [DATA_EXFILTRATION]: The CLI includes a --deliver webhook:<url> feature that allows the agent to POST command results to an arbitrary external URL. This creates a surface for exfiltrating local data such as brew logs, cellar inventory, and palate profiles.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted third-party data from roaster catalogs and YouTube transcripts.
  • Ingestion points: Data entering the agent context via search, transcript-search, and creator-review subcommands (SKILL.md).
  • Boundary markers: The CLI uses a JSON response envelope (including meta and results fields) to separate metadata from content.
  • Capability inventory: The coffee-goat-pp-cli tool can perform network requests (webhooks) and write to the local file system.
  • Sanitization: No explicit validation or filtering of external content is mentioned before it is presented to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 07:21 PM
Security Audit — agent-trust-hub — pp-coffee-goat