pp-lunch-money

Warn

Audited by Snyk on May 23, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill invokes the public Lunch Money APIs (api.lunchmoney.dev/v2) and local synced data (e.g., transactions, attachments via transactions get-all / get-attachment-url and triage results) and explicitly instructs agents to run in --agent mode and parse those user-generated transaction/notes results to drive follow-up actions (retagging, net-worth decisions, bulk edits), so untrusted/user-provided content can be ingested and materially influence subsequent tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill requires installing and running remote code at runtime via the installer command npx -y @mvanhorn/printing-press install lunch-money --cli-only (or the Go install that fetches and builds code from github.com/mvanhorn/printing-press-library/library/payments/lunch-money/cmd/lunch-money-pp-cli@latest), which fetches and executes third-party code as a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). This skill is explicitly a client for the Lunch Money financial API and exposes commands that modify financial state rather than only viewing data. Examples: budgets upsert (create/update budgets), transactions create-new, transactions update|delete and bulk PUT via transactions retag (mass-edit transactions), manual-accounts create, crypto commands like crypto create-manual / crypto update-manual, and Plaid integration plaid-accounts trigger-fetch. It also documents an internal API with cookie auth for bulk-edit primitives. These are specific financial APIs to create/update/delete budgets, transactions, accounts and crypto entries — matching the "Direct Financial Execution" criteria.

Issues (3)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 23, 2026, 10:40 AM
Issues
3
Security Audit — snyk — pp-lunch-money