pp-customer-io
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
customer-io-pp-clibinary usingnpxfrom the@mvanhorn/printing-presspackage andgo installfromgithub.com/mvanhorn/printing-press-library. These resources are provided by the skill's associated vendor. - [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute thecustomer-io-pp-clibinary, enabling interaction with the Customer.io API and management of a local SQLite cache. - [DATA_EXFILTRATION]: The CLI includes a
--deliver webhook:<url>feature and afeedbackcommand that can optionally send data to an external endpoint if environment variables are configured. This functionality allows the agent to transmit command results—potentially containing customer profiles, segment data, or campaign metrics—to external URLs. While a documented feature for output routing, it constitutes a data exfiltration vector if the destination URL is not strictly controlled. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection (Category 8) through its ingestion of untrusted data.
- Ingestion points: Data enters the agent's context through the Customer.io API (e.g., campaigns, customers, activities) and local CSV/JSONL files provided via the
--from-csvflag in thesuppressions bulk addcommand. - Boundary markers: The skill instructions do not specify the use of delimiters or boundary markers to isolate ingested data from the agent's execution instructions.
- Capability inventory: The skill possesses the capability to execute shell commands via
Bash, write to local files, and perform network requests to arbitrary webhooks. - Sanitization: There is no evidence of sanitization, validation, or filtering of the ingested external content before it is processed by the agent.
Audit Metadata