pp-mercury
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the installation of the
mercury-pp-cliandmercury-pp-mcptools from the author's own GitHub repositories and NPM organization. Specific commands includenpx -y @mvanhorn/printing-press install mercuryandgo install github.com/mvanhorn/printing-press-library/library/payments/mercury/cmd/.... - [DATA_EXFILTRATION]: The CLI tool supports a
--deliver webhook:<url>flag, which allows the agent to POST command output—potentially containing bank account balances, transaction history, and recipient details—to any provided URL. It also features a feedback mechanism that can send data to a remote endpoint if configured. - [COMMAND_EXECUTION]: The skill operates by executing the
mercury-pp-clibinary through a bash environment to manage banking resources, process payments, and sync data to a local SQLite store. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). An attacker could place malicious instructions in bank transaction notes or account names which, when read by the agent, could trigger unauthorized actions.
- Ingestion points: Bank account details, transaction notes, invoice attachments, and customer metadata retrieved via
mercury-pp-cli(SKILL.md). - Boundary markers: Absent. The instructions do not define delimiters or provide guidance to ignore instructions embedded in the API data.
- Capability inventory: The skill allows the agent to execute bash commands, write to the file system (
--deliver file:<path>), and perform network requests (--deliver webhook:<url>). - Sanitization: Absent. There is no mention of validating or escaping content retrieved from the banking API before it is processed by the agent.
Audit Metadata