Skills
skills/mvanhorn/printing-press-library/pp-ordertogo/Gen Agent Trust Hub

pp-ordertogo

Fail

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download and install external binaries using npx and go install from the author's repositories (@mvanhorn/printing-press and github.com/mvanhorn/printing-press-library). These downloads are unversioned (@latest), which poses a supply-chain risk.
  • [DATA_EXFILTRATION]: Every command supports a --deliver webhook:<url> flag. This allows the output of any command—which can include sensitive data like order history, total spending, or account summaries—to be POSTed to an arbitrary external URL.
  • [CREDENTIALS_UNSAFE]: The auth login --chrome feature is designed to programmatically harvest and import session cookies from the user's local Chrome profile into the CLI's internal state.
  • [COMMAND_EXECUTION]: The skill requires the Bash tool and heavily relies on executing complex shell commands to perform its core functions, including installation and data processing.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 11, 2026, 12:43 PM