pp-roam

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructions specify installation of the required binary using npx -y @mvanhorn/printing-press and go install github.com/mvanhorn/printing-press-library. These commands download and execute/compile code from the author's public repositories and package registries.
  • [DATA_EXFILTRATION]: Every command supports a --deliver webhook:<url> flag that POSTs the command output to a user-specified URL. While designed for integration pipelines, this functionality could be leveraged to exfiltrate sensitive data retrieved from Roam (such as meeting transcripts, audit logs, or SCIM rosters) to an unauthorized external endpoint.
  • [COMMAND_EXECUTION]: The skill relies on the execution of the roam-pp-cli binary and provides numerous commands for interacting with the Roam API and local data. It also includes the relay command which pipes arbitrary stdin (such as system logs) into Roam groups, necessitating access to local file streams.
  • [PROMPT_INJECTION]: (Indirect) The skill is susceptible to indirect prompt injection because it ingests untrusted data from meeting transcripts and chat history that are subsequently processed by AI-native commands like transcript-fanout (which scans transcripts for answers) and decisions (which extracts action items). The instructions lack explicit boundary markers or sanitization protocols to prevent malicious instructions embedded in the transcripts from influencing the agent's behavior. * Ingestion points: Meeting transcripts and chat messages retrieved via grep, chat-history, and transcript-info in SKILL.md. * Boundary markers: None present in the instructions or command templates. * Capability inventory: The CLI possesses mutation capabilities including posting messages (chat-post), managing users/groups (users, groups), and exporting audit logs (userauditlog-list). * Sanitization: No sanitization of the retrieved transcript content is defined before processing.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 03:21 AM
Security Audit — agent-trust-hub — pp-roam