Skills
skills/mvanhorn/printing-press-library/pp-digg/Snyk

pp-digg

Warn

Audited by Snyk on May 11, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses live, public third-party content (e.g., Digg HTML via "feed raw", Digg APIs such as /api/search/stories used by the search command, the posts <clusterUrlId> output which returns X/Twitter user-generated post bodies, and the events pipeline stream) and instructs agents to consume those results with --agent to drive alerts, evidence, sentiment, and follow-up actions, so untrusted user-generated content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The skill instructs installing a required CLI via the runtime command "npx -y @mvanhorn/printing-press install digg --cli-only", which fetches and executes remote code from the npm registry to produce the digg-pp-cli dependency.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 11, 2026, 12:02 AM
Issues
2