pp-pypi
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to download and install CLI binaries from the author's infrastructure via 'go install github.com/mvanhorn/printing-press-library/...' and '@mvanhorn/printing-press' via npx. These resources are associated with the skill's vendor infrastructure.
- [COMMAND_EXECUTION]: The skill uses the 'Read Bash' tool to execute the 'pypi-pp-cli' binary with user-provided arguments, enabling interactions with the PyPI API and local profile management.
- [DATA_EXFILTRATION]: The CLI tool supports a '--deliver' flag with a 'webhook:' sink, allowing command output (which may contain sensitive information) to be POSTed to an arbitrary external URL. It also includes a feedback mechanism that can send local notes to a configured 'PYPI_FEEDBACK_ENDPOINT'.
- [PROMPT_INJECTION]: The skill ingests untrusted package metadata and descriptions from the PyPI API. This data is processed without sanitization or boundary markers, creating a surface for indirect prompt injection that could exploit the agent's file-write and network-delivery capabilities.
- Ingestion points: CLI output containing external PyPI data.
- Boundary markers: Absent.
- Capability inventory: Subprocess execution, file system writes via '--deliver file:', and network POST requests via '--deliver webhook:'.
- Sanitization: Absent.
Audit Metadata