pp-gumroad
Warn
Audited by Socket on May 17, 2026
1 alert found:
SecuritySecuritySKILL.md
MEDIUMSecurityMEDIUM
SKILL.md
The skill's purpose is coherent, but its actual footprint relies on installing and trusting external Gumroad CLI/MCP binaries whose provenance is not verified in the skill. Because that binary receives a Gumroad access token and can send output to arbitrary webhook endpoints, this is best classified as suspicious/high-risk rather than benign.
Confidence: 84%Severity: 86%
Audit Metadata