pp-substack
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill uses
auth login --chrome(leveraging tools likepycookiecheat) to extract sensitive Substack session cookies (substack.sid) from the user's local browser for authentication. This bypasses standard API security models and places sensitive credentials at risk of exposure. - [DATA_EXFILTRATION]: The skill includes a
--deliver webhook:<url>feature that allows the agent to POST the output of any command—including potentially sensitive analytics or profile data—to an arbitrary external URL. - [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download and install external code via
npxfrom the@mvanhornnpm scope andgo installfrom a GitHub repository owned bymvanhorn. While these are vendor-provided resources, they represent a remote code ingestion point during the setup phase. - [COMMAND_EXECUTION]: The skill relies on executing a local binary (
substack-pp-cli) via shell commands, which is its primary method of operation. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it ingests untrusted content from Substack posts and comments.
- Ingestion points: Commands such as
comments list,posts get-by-slug, andinbox homefetch external data from Substack into the agent's context. - Boundary markers: None identified in the provided instructions.
- Capability inventory: The skill possesses significant capabilities including arbitrary shell command execution via the
Bashtool and the ability to exfiltrate data via webhooks. - Sanitization: No explicit sanitization or filtering of the fetched Substack content is described.
Audit Metadata