pp-splitwise
Warn
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The
splitwise-pp-clisupports a--deliver webhook:<url>flag that can POST sensitive financial results, such as balances, spend history, and debts, to any external URL provided as an argument. - [REMOTE_CODE_EXECUTION]: The skill provides instructions for the agent to download and execute code at runtime using
npx -y @mvanhorn/printing-press-libraryandgo install github.com/mvanhorn/printing-press-library/.... - [EXTERNAL_DOWNLOADS]: Core functionality depends on downloading and installing the
splitwise-pp-cliandsplitwise-pp-mcpbinaries from external registries including npm and GitHub. - [COMMAND_EXECUTION]: The skill relies on executing shell commands via the
Bashtool to interact with the Splitwise API and the local SQLite ledger using thesplitwise-pp-clibinary. - [PROMPT_INJECTION]: The skill processes untrusted data from Splitwise (expense descriptions, comments, and group names) which can contain malicious instructions.
- Ingestion points: Reads from the Splitwise API and local synced store via
search,ledger, andactivitycommands. - Boundary markers: None identified in the prompt templates to distinguish between data and instructions.
- Capability inventory: The agent has access to
Bashfor command execution and file system access. - Sanitization: No explicit sanitization or escaping of external financial data is described before it is returned to the agent context.
Audit Metadata