pp-contact-goat
Warn
Audited by Gen Agent Trust Hub on May 23, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions describe an automated discovery mechanism where the tool reads sensitive API keys from a hidden configuration file located at
~/.local/deepline/<host>/.env. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of external software components, specifically the
@mvanhorn/printing-presspackage from NPM and thecontact-goat-pp-cliandcontact-goat-pp-mcpbinaries from a GitHub repository (github.com/mvanhorn/printing-press-library). - [REMOTE_CODE_EXECUTION]: The installation procedures involve executing code directly from remote sources using
npxandgo install, which downloads and runs binaries from external repositories. - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to execute the installed CLI binary, manage package installations, and perform system checks such aswhichandgrep.
Audit Metadata