pp-qbo
Warn
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs external binaries and packages from public registries and repositories.
- Evidence:
- Fetches the
@mvanhorn/printing-press-librarypackage vianpxfrom the NPM registry. - Installs Go binaries from
github.com/mvanhorn/printing-press-library. - These sources are well-known or associated with the skill's author, but involve third-party code execution.
- [COMMAND_EXECUTION]: The skill is designed to execute shell commands using the
qbo-pp-clibinary to manage accounting data. - Evidence: Commands such as
qbo-pp-cli sync,qbo-pp-cli accounts create, and others are intended for direct execution by the agent via theBashtool. - [DATA_EXFILTRATION]: The skill provides a mechanism to route sensitive financial data to external, user-specified endpoints.
- Evidence: The
--deliver webhook:<url>flag allows the agent to POST command results (potentially containing full ledgers, invoices, and payments) to an arbitrary URL. Additionally, afeedbackcommand can send data to a remoteQBO_FEEDBACK_ENDPOINTif configured. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of external data and direct argument interpolation.
- Ingestion points: Financial data is fetched from QuickBooks Online APIs and local SQLite caches.
- Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore instructions embedded within the financial data it processes.
- Capability inventory: The agent has access to the
Bashtool and the ability to exfiltrate data via webhooks or file writes. - Sanitization: No sanitization or validation of the
$ARGUMENTSor retrieved financial data is described before they are used in CLI command execution.
Audit Metadata