pp-nvd

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow instructs the agent to run nvd-pp-cli commands like "nvd-pp-cli json search-cves" which return live NVD (public third-party) data (see the response envelope with "meta.source":"live"), and the agent is expected to parse and act on those results—i.e., ingesting public third‑party content that can materially influence subsequent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires installing and running a remote CLI fetched at runtime (e.g., "go install github.com/mvanhorn/printing-press-library/library/developer-tools/nvd/cmd/nvd-pp-cli@latest" and the npx installer "npx -y @mvanhorn/printing-press install nvd --cli-only"), which downloads and installs remote code that will be executed and is a required dependency, so it presents a runtime code-execution risk.