pp-producthunt
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of external components from vendor-managed sources.
- Installs the CLI tool using
npx -y @mvanhorn/printing-press. - Downloads and builds Go binaries from
github.com/mvanhorn/printing-press-library. - Installs an MCP server for interaction with Claude Code via
go install. - [COMMAND_EXECUTION]: The skill executes local commands to drive the Product Hunt interface.
- Invokes the
producthunt-pp-clibinary with various subcommands to retrieve and analyze data. - Provides a
sqlsubcommand for read-only querying of the local SQLite database used for caching. - Features a
whichcommand that uses natural language to resolve intent to specific CLI subcommands. - [PROMPT_INJECTION]: The skill processes untrusted external data, creating a potential surface for indirect prompt injection.
- Ingestion points: Untrusted content including product taglines, descriptions, and user comments are ingested from the Product Hunt API via
posts get,posts list, andposts comments(referenced in SKILL.md). - Boundary markers: No specific delimiters or "ignore embedded instructions" warnings are provided in the instructions for handling retrieved data.
- Capability inventory: The skill has access to the
Read Bashtool and can write output to local files or external URLs via the--deliversink feature (referenced in SKILL.md). - Sanitization: The instructions do not specify any validation or sanitization of external data before it is presented to the agent.
Audit Metadata