pp-google-photos

Pass

Audited by Gen Agent Trust Hub on May 27, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill provides instructions to install the google-photos-pp-cli binary using npx from the @mvanhorn npm scope and go install from the mvanhorn GitHub repository. These sources are owned by the skill's author.
  • [DATA_EXFILTRATION]: The CLI includes a --deliver flag that supports a webhook:<url> sink, which POSTs command results to a specified URL. While this is a documented feature for integration, it constitutes a network egress path for user data retrieved from the Google Photos API.
  • [CREDENTIALS_UNSAFE]: The tool manages OAuth authentication for Google Photos. It stores tokens locally and provides dedicated commands for managing these accounts, such as auth list, auth use, and auth remove.
  • [COMMAND_EXECUTION]: The skill utilizes shell commands through the Read Bash tool to perform operations. This includes diagnostic tasks and a feedback mechanism that can optionally transmit data to a remote endpoint if the GOOGLE_PHOTOS_FEEDBACK_ENDPOINT environment variable is configured.
Audit Metadata
Risk Level
SAFE
Analyzed
May 27, 2026, 01:12 AM
Security Audit — agent-trust-hub — pp-google-photos