pp-numista
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the installation of a CLI tool using
npx -y @mvanhorn/printing-press install numista. This executes code from a remote NPM package published by the skill's author. This is documented as a vendor-provided dependency. - [DATA_EXFILTRATION]: The CLI tool features a
--deliver webhook:<url>flag that allows command output to be POSTed to an external URL. This capability can be misused by an agent to exfiltrate sensitive user collection data or account details to untrusted servers. - [DATA_EXFILTRATION]: The
feedbackcommand allows transmitting local data to a remote server if theNUMISTA_FEEDBACK_ENDPOINTenvironment variable is set. This provides an additional path for data transmission outside the user's immediate view. - [COMMAND_EXECUTION]: The skill invokes the
numista-pp-clibinary for all operations. The CLI performs local file system operations, such as managing a SQLite database and storing configuration in~/.numista-pp-cli/auth.json. - [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by processing external data files (e.g.,
imports.csvandtype-ids.csv). - Ingestion points: Data is ingested through
--from-fileand--fileflags in theusers collected-items addandtypes batchcommands. - Boundary markers: There are no explicit markers or instructions to ignore embedded commands within the processed data.
- Capability inventory: The agent has access to full subprocess execution of the CLI, which includes network access and file system writes.
- Sanitization: No sanitization or validation of the ingested content is described before the output is returned to the agent's context.
Audit Metadata