pp-numista

Warn

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the installation of a CLI tool using npx -y @mvanhorn/printing-press install numista. This executes code from a remote NPM package published by the skill's author. This is documented as a vendor-provided dependency.
  • [DATA_EXFILTRATION]: The CLI tool features a --deliver webhook:<url> flag that allows command output to be POSTed to an external URL. This capability can be misused by an agent to exfiltrate sensitive user collection data or account details to untrusted servers.
  • [DATA_EXFILTRATION]: The feedback command allows transmitting local data to a remote server if the NUMISTA_FEEDBACK_ENDPOINT environment variable is set. This provides an additional path for data transmission outside the user's immediate view.
  • [COMMAND_EXECUTION]: The skill invokes the numista-pp-cli binary for all operations. The CLI performs local file system operations, such as managing a SQLite database and storing configuration in ~/.numista-pp-cli/auth.json.
  • [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by processing external data files (e.g., imports.csv and type-ids.csv).
  • Ingestion points: Data is ingested through --from-file and --file flags in the users collected-items add and types batch commands.
  • Boundary markers: There are no explicit markers or instructions to ignore embedded commands within the processed data.
  • Capability inventory: The agent has access to full subprocess execution of the CLI, which includes network access and file system writes.
  • Sanitization: No sanitization or validation of the ingested content is described before the output is returned to the agent's context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 20, 2026, 05:23 PM
Security Audit — agent-trust-hub — pp-numista