pp-pypi

Pass

Audited by Gen Agent Trust Hub on May 23, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads the pypi-pp-cli binary and the pypi-pp-mcp server. It uses npx to fetch the @mvanhorn/printing-press package and go install to fetch code from github.com/mvanhorn/printing-press-library. These resources are associated with the skill's author.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to perform installation, verification (--version, doctor), and primary functionality of the PyPI CLI. This includes running npx, go install, and pypi-pp-cli commands.
  • [DATA_EXFILTRATION]: The CLI supports a --deliver webhook:<url> flag, allowing the agent to POST command results to an external URL. While documented as an output delivery mechanism, it serves as a network egress point for data processed by the tool.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to the following evidence chain:
  • Ingestion points: User input is captured via the $ARGUMENTS variable in the 'Argument Parsing' section of SKILL.md.
  • Boundary markers: There are no delimiters or instructions to ignore embedded commands when interpolating user input into the shell command.
  • Capability inventory: The skill has the ability to execute arbitrary shell commands via the Bash tool and send data to webhooks.
  • Sanitization: There is no evidence of escaping or validation performed on the $ARGUMENTS before they are executed.
Audit Metadata
Risk Level
SAFE
Analyzed
May 23, 2026, 03:19 AM
Security Audit — agent-trust-hub — pp-pypi