pp-kit

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the user to install a CLI binary from the vendor's repository via go install or npx. Specifically, it references github.com/mvanhorn/printing-press-library and the NPM package @mvanhorn/printing-press. These resources are consistent with the identified vendor 'mvanhorn'.
  • [COMMAND_EXECUTION]: The skill is primarily a wrapper for the kit-pp-cli command-line tool. It uses several subcommands (e.g., workflow, account, broadcasts) to interact with the Kit API. It also includes an installation command using go install and npx, which is standard for CLI tools.
  • [DATA_EXFILTRATION]: The skill documentation describes a --deliver webhook:<url> feature that allows routing command output to a specified URL. While this provides a mechanism for data transmission, it is presented as a legitimate tool capability for automation and is not directed at a hardcoded malicious endpoint.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 01:54 AM
Security Audit — agent-trust-hub — pp-kit