pp-substack
Fail
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the installation of external software from npm (@mvanhorn/printing-press) and GitHub (github.com/mvanhorn/printing-press-library).
- [REMOTE_CODE_EXECUTION]: The installation instructions utilize 'npx -y' and 'go install', both of which download and execute code from remote repositories.
- [DATA_EXFILTRATION]: The 'auth login --chrome' command is designed to extract the 'substack.sid' session cookie from the user's browser, representing a high-sensitivity data access operation.
- [DATA_EXFILTRATION]: The CLI includes a '--deliver webhook:' flag that enables sending command output directly to arbitrary external URLs, creating a primary exfiltration vector.
- [DATA_EXFILTRATION]: The feedback mechanism can be configured via 'SUBSTACK_FEEDBACK_ENDPOINT' and 'SUBSTACK_FEEDBACK_AUTO_SEND' to automatically transmit local data to a remote server.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of untrusted content from Substack.
- Ingestion points: Command results from 'notes get', 'comments list', 'posts get-by-slug', and 'discover patterns' (SKILL.md).
- Boundary markers: None identified to separate external content from agent instructions.
- Capability inventory: Subprocess execution of the CLI which can perform file writes and network POSTs via webhooks (SKILL.md).
- Sanitization: No evidence of content sanitization or validation before processing.
Recommendations
- AI detected serious security threats
Audit Metadata