pp-food52

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly describes commands that fetch and ingest live, public Food52 content (e.g., "food52-pp-cli recipes get", "articles get", "sync recipes", and "recipes search" which auto-discovers Typesense/search keys from the public JS bundle) so the agent reads untrusted third-party website content as part of its workflow and can act on it (scale/print/deliver), enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs runtime installation that fetches and executes remote code required for operation—e.g., "npx -y @mvanhorn/printing-press install food52 --cli-only" and "go install github.com/mvanhorn/printing-press-library/library/food-and-dining/food52/cmd/food52-pp-cli@latest" (and the MCP install "go install .../food52-pp-mcp@latest")—so external content from these sources would be fetched and run and is required for the skill to function.