pp-jimmy-johns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill instructs the agent to fetch and consume live, public third‑party content (e.g., "jimmy-johns-pp-cli menu products", "jimmy-johns-pp-cli stores list", "jimmy-johns-pp-cli stores get_disclaimers" in SKILL.md) and to parse those results as part of agent workflows for building carts and deciding actions, so external site content could materially influence behavior and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's prerequisite runs "npx -y @mvanhorn/printing-press install jimmy-johns --cli-only" which fetches and executes remote npm package code from https://www.npmjs.com/package/@mvanhorn/printing-press during setup and is a required dependency, so it can execute remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This CLI is explicitly for creating and submitting Jimmy John's orders: it supports account auth, listing saved payment methods, building carts/one-shot reorders, and agent-mode non-interactive execution ( --agent / --yes ). Those capabilities enable an agent to authenticate as a user and place orders that will charge saved payment methods — i.e., execute real payments. Although it is a restaurant-ordering tool rather than a generic payment gateway, its primary and explicit purpose is to create/submit commercial orders that move money, so it meets the "direct financial execution" criterion.