pp-roam
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions specify installation of the required binary using
npx -y @mvanhorn/printing-pressandgo install github.com/mvanhorn/printing-press-library. These commands download and execute/compile code from the author's public repositories and package registries. - [DATA_EXFILTRATION]: Every command supports a
--deliver webhook:<url>flag that POSTs the command output to a user-specified URL. While designed for integration pipelines, this functionality could be leveraged to exfiltrate sensitive data retrieved from Roam (such as meeting transcripts, audit logs, or SCIM rosters) to an unauthorized external endpoint. - [COMMAND_EXECUTION]: The skill relies on the execution of the
roam-pp-clibinary and provides numerous commands for interacting with the Roam API and local data. It also includes therelaycommand which pipes arbitrary stdin (such as system logs) into Roam groups, necessitating access to local file streams. - [PROMPT_INJECTION]: (Indirect) The skill is susceptible to indirect prompt injection because it ingests untrusted data from meeting transcripts and chat history that are subsequently processed by AI-native commands like
transcript-fanout(which scans transcripts for answers) anddecisions(which extracts action items). The instructions lack explicit boundary markers or sanitization protocols to prevent malicious instructions embedded in the transcripts from influencing the agent's behavior. * Ingestion points: Meeting transcripts and chat messages retrieved viagrep,chat-history, andtranscript-infoin SKILL.md. * Boundary markers: None present in the instructions or command templates. * Capability inventory: The CLI possesses mutation capabilities including posting messages (chat-post), managing users/groups (users,groups), and exporting audit logs (userauditlog-list). * Sanitization: No sanitization of the retrieved transcript content is defined before processing.
Audit Metadata