pp-lunch-money
Warn
Audited by Snyk on May 23, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill invokes the public Lunch Money APIs (api.lunchmoney.dev/v2) and local synced data (e.g., transactions, attachments via transactions get-all / get-attachment-url and triage results) and explicitly instructs agents to run in --agent mode and parse those user-generated transaction/notes results to drive follow-up actions (retagging, net-worth decisions, bulk edits), so untrusted/user-provided content can be ingested and materially influence subsequent tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill requires installing and running remote code at runtime via the installer command
npx -y @mvanhorn/printing-press install lunch-money --cli-only(or the Go install that fetches and builds code from github.com/mvanhorn/printing-press-library/library/payments/lunch-money/cmd/lunch-money-pp-cli@latest), which fetches and executes third-party code as a required dependency.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). This skill is explicitly a client for the Lunch Money financial API and exposes commands that modify financial state rather than only viewing data. Examples:
budgets upsert(create/update budgets),transactions create-new,transactions update|deleteand bulk PUT viatransactions retag(mass-edit transactions),manual-accounts create, crypto commands likecrypto create-manual/crypto update-manual, and Plaid integrationplaid-accounts trigger-fetch. It also documents aninternalAPI with cookie auth for bulk-edit primitives. These are specific financial APIs to create/update/delete budgets, transactions, accounts and crypto entries — matching the "Direct Financial Execution" criteria.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata