pp-grubhub
Warn
Audited by Snyk on Jun 20, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The required runtime workflow executes
grubhub-pp-cliwhich “browses Grubhub's marketplace from the command line” (e.g.,near/compare/dish/deals/menu), so it necessarily fetches and ingests third-party marketplace content (outsider-authored web data) into the agent-visible JSON context.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill's prerequisite installation steps run remote installers that fetch and execute code at runtime (notably the npm installer via "npx -y @mvanhorn/printing-press-library install grubhub --cli-only" and the Go module install "go install github.com/mvanhorn/printing-press-library/library/commerce/grubhub/cmd/grubhub-pp-cli@latest"), so external content is executed and required for the skill to run.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata