pp-qbo

Warn

Audited by Gen Agent Trust Hub on Jun 25, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads and installs external binaries and packages from public registries and repositories.
  • Evidence:
  • Fetches the @mvanhorn/printing-press-library package via npx from the NPM registry.
  • Installs Go binaries from github.com/mvanhorn/printing-press-library.
  • These sources are well-known or associated with the skill's author, but involve third-party code execution.
  • [COMMAND_EXECUTION]: The skill is designed to execute shell commands using the qbo-pp-cli binary to manage accounting data.
  • Evidence: Commands such as qbo-pp-cli sync, qbo-pp-cli accounts create, and others are intended for direct execution by the agent via the Bash tool.
  • [DATA_EXFILTRATION]: The skill provides a mechanism to route sensitive financial data to external, user-specified endpoints.
  • Evidence: The --deliver webhook:<url> flag allows the agent to POST command results (potentially containing full ledgers, invoices, and payments) to an arbitrary URL. Additionally, a feedback command can send data to a remote QBO_FEEDBACK_ENDPOINT if configured.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of external data and direct argument interpolation.
  • Ingestion points: Financial data is fetched from QuickBooks Online APIs and local SQLite caches.
  • Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore instructions embedded within the financial data it processes.
  • Capability inventory: The agent has access to the Bash tool and the ability to exfiltrate data via webhooks or file writes.
  • Sanitization: No sanitization or validation of the $ARGUMENTS or retrieved financial data is described before they are used in CLI command execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 25, 2026, 10:32 PM
Security Audit — agent-trust-hub — pp-qbo