pp-eu-tenders
Warn
Audited by Snyk on May 18, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill's CLI explicitly syncs and ingests the public TED (Tenders Electronic Daily) procurement corpus ("This CLI syncs the corpus to SQLite") and the agent-mode commands (e.g., notices, leads, buyer, score) consume and act on those public third‑party notices, so untrusted external content from TED is read and can materially influence agent decisions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill requires installing and running remote binaries fetched at runtime (e.g., via
go install github.com/mvanhorn/printing-press-library/library/sales-and-crm/eu-tenders/cmd/eu-tenders-pp-cli@latestand the npm installernpx -y @mvanhorn/printing-press install eu-tenders --cli-only), which downloads and executes external code that directly produces the CLI output used to drive agent prompts and behavior.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata