pp-eu-tenders

Warn

Audited by Snyk on May 18, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's CLI explicitly syncs and ingests the public TED (Tenders Electronic Daily) procurement corpus ("This CLI syncs the corpus to SQLite") and the agent-mode commands (e.g., notices, leads, buyer, score) consume and act on those public third‑party notices, so untrusted external content from TED is read and can materially influence agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill requires installing and running remote binaries fetched at runtime (e.g., via go install github.com/mvanhorn/printing-press-library/library/sales-and-crm/eu-tenders/cmd/eu-tenders-pp-cli@latest and the npm installer npx -y @mvanhorn/printing-press install eu-tenders --cli-only), which downloads and executes external code that directly produces the CLI output used to drive agent prompts and behavior.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 05:27 PM
Issues
2
Security Audit — snyk — pp-eu-tenders