pp-roam
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to download and install an external CLI binary using
npx -y @mvanhorn/printing-press install roam --cli-onlyorgo install github.com/mvanhorn/printing-press-library/.... These resources are hosted within the author's (mvanhorn) scope and repository. - [COMMAND_EXECUTION]: The skill extensively uses the
Bashtool to executeroam-pp-clicommands. These commands include data retrieval (transcripts, chat history) and administrative mutations (SCIM user management, event cancellation). - [DATA_EXFILTRATION]: The skill documents a built-in feature
--deliver webhook:<url>which allows the agent to POST command results directly to an arbitrary external URL. Additionally, thefeedbackcommand can transmit data to a remote endpoint if theROAM_FEEDBACK_ENDPOINTenvironment variable is configured. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8):
- Ingestion points: Data is ingested through commands like
roam-pp-cli grep,decisions, andtranscript-fanoutwhich read external chat messages and meeting transcripts from the Roam HQ API into the agent's context. - Boundary markers: There are no instructions or delimiters defined to warn the agent to ignore instructions embedded within the processed transcript or chat data.
- Capability inventory: The skill has access to the
Bashtool and commands capable of data mutation (chat-post,scim-diff --apply,onair-event-cancel) and external transmission (--deliver webhook:<url>). - Sanitization: There is no evidence of sanitization or filtering of the external content before it is processed by the agent.
Audit Metadata