pp-ucp

Pass

Audited by Gen Agent Trust Hub on Jun 15, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install the ucp-pp-cli and ucp-pp-mcp tools from the author's official NPM and GitHub repositories.
  • Evidence: npx -y @mvanhorn/printing-press-library install ucp --cli-only downloads and runs an installer from the author's NPM package.
  • Evidence: go install github.com/mvanhorn/printing-press-library/library/commerce/ucp/cmd/ucp-pp-cli@latest downloads and compiles code from the author's GitHub repository.
  • [COMMAND_EXECUTION]: The skill's primary function is to execute local CLI commands via the shell using the ucp-pp-cli binary.
  • [DATA_EXFILTRATION]: The CLI tool documented in the skill includes a feature that allows command output to be sent to external URLs.
  • Evidence: The --deliver webhook:<url> flag allows the agent to POST command results to an arbitrary endpoint, which could be used to transmit data outside the environment.
  • [PROMPT_INJECTION]: The skill contains an attack surface for indirect prompt injection by processing data from untrusted external sources.
  • Ingestion points: The check <domain> command fetches and parses /.well-known/ucp manifest files from external, potentially attacker-controlled merchant websites.
  • Boundary markers: There are no instructions provided to the agent to disregard or sanitize potential commands or directions embedded within the fetched manifest data.
  • Capability inventory: The skill possesses the capability to execute shell commands, write to the local file system, and perform network requests via the CLI's delivery features.
  • Sanitization: The documentation does not describe any validation or escaping mechanisms for the external manifest data before it is processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 15, 2026, 01:50 AM
Security Audit — agent-trust-hub — pp-ucp