pp-instacart

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill facilitates the installation of the instacart-pp-cli binary directly from a remote GitHub repository using go install.
  • [REMOTE_CODE_EXECUTION]: During the history backfill process, the skill fetches JavaScript files (dumper.js, extract-one.js, export-jsonl.js) from a remote repository and executes them within the user's browser session using an MCP JavaScript tool.
  • [COMMAND_EXECUTION]: Uses the Bash tool to run the custom CLI, which handles sensitive session cookies stored at ~/.config/instacart/session.json and manages local database files.
  • [EXTERNAL_DOWNLOADS]: Downloads tools and scripts from github.com and raw.githubusercontent.com for local execution and browser injection.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing external data from API responses and user-controlled history files. 1. Ingestion points: instacart history import command and GraphQL API responses. 2. Boundary markers: Absent (no instructions to ignore embedded commands in processed data). 3. Capability inventory: Bash, WebFetch, and Read tools. 4. Sanitization: Absent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 03:45 AM
Security Audit — agent-trust-hub — pp-instacart