pp-splitwise

Warn

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The splitwise-pp-cli supports a --deliver webhook:<url> flag that can POST sensitive financial results, such as balances, spend history, and debts, to any external URL provided as an argument.
  • [REMOTE_CODE_EXECUTION]: The skill provides instructions for the agent to download and execute code at runtime using npx -y @mvanhorn/printing-press-library and go install github.com/mvanhorn/printing-press-library/....
  • [EXTERNAL_DOWNLOADS]: Core functionality depends on downloading and installing the splitwise-pp-cli and splitwise-pp-mcp binaries from external registries including npm and GitHub.
  • [COMMAND_EXECUTION]: The skill relies on executing shell commands via the Bash tool to interact with the Splitwise API and the local SQLite ledger using the splitwise-pp-cli binary.
  • [PROMPT_INJECTION]: The skill processes untrusted data from Splitwise (expense descriptions, comments, and group names) which can contain malicious instructions.
  • Ingestion points: Reads from the Splitwise API and local synced store via search, ledger, and activity commands.
  • Boundary markers: None identified in the prompt templates to distinguish between data and instructions.
  • Capability inventory: The agent has access to Bash for command execution and file system access.
  • Sanitization: No explicit sanitization or escaping of external financial data is described before it is returned to the agent context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 21, 2026, 07:23 PM
Security Audit — agent-trust-hub — pp-splitwise