pp-kit
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install a CLI binary from the vendor's repository via
go installornpx. Specifically, it referencesgithub.com/mvanhorn/printing-press-libraryand the NPM package@mvanhorn/printing-press. These resources are consistent with the identified vendor 'mvanhorn'. - [COMMAND_EXECUTION]: The skill is primarily a wrapper for the
kit-pp-clicommand-line tool. It uses several subcommands (e.g.,workflow,account,broadcasts) to interact with the Kit API. It also includes an installation command usinggo installandnpx, which is standard for CLI tools. - [DATA_EXFILTRATION]: The skill documentation describes a
--deliver webhook:<url>feature that allows routing command output to a specified URL. While this provides a mechanism for data transmission, it is presented as a legitimate tool capability for automation and is not directed at a hardcoded malicious endpoint.
Audit Metadata