pp-instacart
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill facilitates the installation of the
instacart-pp-clibinary directly from a remote GitHub repository usinggo install. - [REMOTE_CODE_EXECUTION]: During the history backfill process, the skill fetches JavaScript files (
dumper.js,extract-one.js,export-jsonl.js) from a remote repository and executes them within the user's browser session using an MCP JavaScript tool. - [COMMAND_EXECUTION]: Uses the
Bashtool to run the custom CLI, which handles sensitive session cookies stored at~/.config/instacart/session.jsonand manages local database files. - [EXTERNAL_DOWNLOADS]: Downloads tools and scripts from
github.comandraw.githubusercontent.comfor local execution and browser injection. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing external data from API responses and user-controlled history files. 1. Ingestion points:
instacart history importcommand and GraphQL API responses. 2. Boundary markers: Absent (no instructions to ignore embedded commands in processed data). 3. Capability inventory:Bash,WebFetch, andReadtools. 4. Sanitization: Absent.
Audit Metadata