pp-pypi
Pass
Audited by Gen Agent Trust Hub on May 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the
pypi-pp-clibinary and thepypi-pp-mcpserver. It usesnpxto fetch the@mvanhorn/printing-presspackage andgo installto fetch code fromgithub.com/mvanhorn/printing-press-library. These resources are associated with the skill's author. - [COMMAND_EXECUTION]: The skill uses the
Bashtool to perform installation, verification (--version,doctor), and primary functionality of the PyPI CLI. This includes runningnpx,go install, andpypi-pp-clicommands. - [DATA_EXFILTRATION]: The CLI supports a
--deliver webhook:<url>flag, allowing the agent to POST command results to an external URL. While documented as an output delivery mechanism, it serves as a network egress point for data processed by the tool. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to the following evidence chain:
- Ingestion points: User input is captured via the
$ARGUMENTSvariable in the 'Argument Parsing' section ofSKILL.md. - Boundary markers: There are no delimiters or instructions to ignore embedded commands when interpolating user input into the shell command.
- Capability inventory: The skill has the ability to execute arbitrary shell commands via the
Bashtool and send data to webhooks. - Sanitization: There is no evidence of escaping or validation performed on the
$ARGUMENTSbefore they are executed.
Audit Metadata