pp-dice-fm
Warn
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
dice-fm-pp-clianddice-fm-pp-mcpbinaries from the author's GitHub repository (github.com/mvanhorn/printing-press-library) and npm package (@mvanhorn/printing-press-library). These are vendor-provided resources for the skill's functionality. - [COMMAND_EXECUTION]: The skill executes shell commands using the installed
dice-fm-pp-clibinary, passing user-supplied arguments through the$ARGUMENTSvariable. - [COMMAND_EXECUTION]: The
normalizecommand includes an optional--classifier-cmdflag that allows the agent to execute an arbitrary external command or script for data classification purposes. - [DATA_EXFILTRATION]: The skill features a
--deliver webhook:<url>option that enables the output of commands—which can include sensitive event and fan data—to be POSTed to external HTTPS endpoints. While the skill documentation notes that this feature is hardened with SSRF guards and is blocked in certain contexts (MCP), it remains a primary vector for data transfer to external domains. - [INDIRECT_PROMPT_INJECTION]: The skill processes data from the external DICE.FM API and local configuration files, creating a surface for indirect prompt injection.
- Ingestion points: External data from DICE API (events, orders, fans, tickets), local feedback logs, and imported classification files (
classified.json). - Boundary markers: No explicit boundary markers or instructions to ignore embedded content are defined for the processed data.
- Capability inventory: The skill can execute shell commands (
dice-fm-pp-cli), write files to the local system (--deliver file:), and perform network POST requests (--deliver webhook:). - Sanitization: The skill implements a pseudonymization mechanism that replaces fan identifiers (PII) with deterministic tokens by default, though this can be bypassed with the
include_pii: trueflag.
Audit Metadata