pp-pagliacci
Warn
Audited by Gen Agent Trust Hub on May 28, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The CLI tool supports a
--deliver webhook:<url>flag, which allows the agent to send command outputs—potentially containing sensitive PII like delivery addresses, order history, and account balances—to any external HTTP endpoint. - [DATA_EXFILTRATION]: The CLI includes an automated authentication mechanism that reads Chrome browser cookies to construct authorization headers, accessing sensitive session data.
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install external binaries using
npx -y @mvanhorn/printing-pressandgo install github.com/mvanhorn/printing-press-library/.... While these resources belong to the skill's author, they represent unverified third-party dependencies. - [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute thepagliacci-pp-clibinary. It includes awhichcommand that resolves natural-language queries into CLI commands, which is a form of dynamic command resolution. - [PROMPT_INJECTION]: The skill processes untrusted data from the Pagliacci API (such as menu items, system messages, and order history) without explicit boundary markers or sanitization logic, creating a surface for indirect prompt injection.
- Ingestion points: API responses fetched via
store list,menu cache,orders list, andsystem site_wide_message. - Boundary markers: No explicit delimiters or instructions to ignore instructions within the API data are present.
- Capability inventory: Access to the
Bashtool for command execution. - Sanitization: No validation or filtering of remote content is documented.
Audit Metadata