pp-contact-goat

Warn

Audited by Gen Agent Trust Hub on May 23, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructions describe an automated discovery mechanism where the tool reads sensitive API keys from a hidden configuration file located at ~/.local/deepline/<host>/.env.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of external software components, specifically the @mvanhorn/printing-press package from NPM and the contact-goat-pp-cli and contact-goat-pp-mcp binaries from a GitHub repository (github.com/mvanhorn/printing-press-library).
  • [REMOTE_CODE_EXECUTION]: The installation procedures involve executing code directly from remote sources using npx and go install, which downloads and runs binaries from external repositories.
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute the installed CLI binary, manage package installations, and perform system checks such as which and grep.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 23, 2026, 08:00 PM
Security Audit — agent-trust-hub — pp-contact-goat