pp-surgegraph
Pass
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill documents the
--deliver webhook:<url>flag, which allows the agent to POST the output of any command to an arbitrary URL. This feature could be used to exfiltrate sensitive project data, document content, or organization settings to external endpoints. - [EXTERNAL_DOWNLOADS]: The skill provides instructions to install the
surgegraph-pp-cliusingnpx -y @mvanhorn/printing-press-libraryandgo install github.com/mvanhorn/printing-press-library/.... These resources are hosted on well-known platforms and are owned by the vendor/author of the skill. - [CREDENTIALS_UNSAFE]: Commands such as
get-openai-keys,get-gemini-keys,get-anthropic-keys, andget-api-keyallow the agent to list and manage stored credentials. While the skill states that output is masked (last 4 characters visible), the ability for an agent to access and retrieve these configurations remains a potential risk factor. - [COMMAND_EXECUTION]: The skill executes the
surgegraph-pp-clibinary with user-supplied and agent-generated arguments. It includes capabilities to interact with local files (via--deliver file:<path>) and local search caches. - [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by ingesting data from external answer engines and SurgeGraph project data which is then used in content generation and publishing workflows.
- Ingestion points:
get-ai-visibility-prompt-response,get-document, andsearch(SKILL.md). - Boundary markers: Absent; the skill does not define specific delimiters to isolate external data from instructions.
- Capability inventory:
publish-document-to-cms,update-document, andcreate-bulk-documents(SKILL.md). - Sanitization: There is no evidence of sanitization or validation of the ingested content before it is used in write-intensive operations.
Audit Metadata