pp-ucp
Pass
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install the
ucp-pp-clianducp-pp-mcptools from the author's official NPM and GitHub repositories. - Evidence:
npx -y @mvanhorn/printing-press-library install ucp --cli-onlydownloads and runs an installer from the author's NPM package. - Evidence:
go install github.com/mvanhorn/printing-press-library/library/commerce/ucp/cmd/ucp-pp-cli@latestdownloads and compiles code from the author's GitHub repository. - [COMMAND_EXECUTION]: The skill's primary function is to execute local CLI commands via the shell using the
ucp-pp-clibinary. - [DATA_EXFILTRATION]: The CLI tool documented in the skill includes a feature that allows command output to be sent to external URLs.
- Evidence: The
--deliver webhook:<url>flag allows the agent to POST command results to an arbitrary endpoint, which could be used to transmit data outside the environment. - [PROMPT_INJECTION]: The skill contains an attack surface for indirect prompt injection by processing data from untrusted external sources.
- Ingestion points: The
check <domain>command fetches and parses/.well-known/ucpmanifest files from external, potentially attacker-controlled merchant websites. - Boundary markers: There are no instructions provided to the agent to disregard or sanitize potential commands or directions embedded within the fetched manifest data.
- Capability inventory: The skill possesses the capability to execute shell commands, write to the local file system, and perform network requests via the CLI's delivery features.
- Sanitization: The documentation does not describe any validation or escaping mechanisms for the external manifest data before it is processed by the agent.
Audit Metadata