pp-shopping

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the shopping-pp-cli binary. It provides instructions to download this tool using npx from the @mvanhorn npm scope and go install from the vendor's GitHub repository.
  • Evidence: Installation commands reference github.com/mvanhorn/printing-press-library and @mvanhorn/printing-press-library.
  • [COMMAND_EXECUTION]: The skill is designed to execute the local shopping-pp-cli binary for all tasks. This includes data synchronization, price comparison, and deal discovery.
  • Evidence: Numerous examples of shopping-pp-cli <command> usage, including index, compare, deals, and arbitrage.
  • [DATA_EXFILTRATION]: The CLI tool features a --deliver flag that supports sending command output to external webhooks. While intended for automation, this provides a mechanism for routing data to remote servers.
  • Evidence: Documentation for --deliver webhook:<url> allowing users to POST output body to a specified URL.
  • [COMMAND_EXECUTION]: The skill supports MCP (Model Context Protocol) integration by installing a secondary binary.
  • Evidence: Instructions to go install and add shopping-pp-mcp to the Claude Code configuration.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 07:08 PM
Security Audit — agent-trust-hub — pp-shopping