pp-pagliacci

Warn

Audited by Gen Agent Trust Hub on May 28, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The CLI tool supports a --deliver webhook:<url> flag, which allows the agent to send command outputs—potentially containing sensitive PII like delivery addresses, order history, and account balances—to any external HTTP endpoint.
  • [DATA_EXFILTRATION]: The CLI includes an automated authentication mechanism that reads Chrome browser cookies to construct authorization headers, accessing sensitive session data.
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install external binaries using npx -y @mvanhorn/printing-press and go install github.com/mvanhorn/printing-press-library/.... While these resources belong to the skill's author, they represent unverified third-party dependencies.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute the pagliacci-pp-cli binary. It includes a which command that resolves natural-language queries into CLI commands, which is a form of dynamic command resolution.
  • [PROMPT_INJECTION]: The skill processes untrusted data from the Pagliacci API (such as menu items, system messages, and order history) without explicit boundary markers or sanitization logic, creating a surface for indirect prompt injection.
  • Ingestion points: API responses fetched via store list, menu cache, orders list, and system site_wide_message.
  • Boundary markers: No explicit delimiters or instructions to ignore instructions within the API data are present.
  • Capability inventory: Access to the Bash tool for command execution.
  • Sanitization: No validation or filtering of remote content is documented.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 28, 2026, 10:00 PM
Security Audit — agent-trust-hub — pp-pagliacci