pp-withings

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructions require the user to install the withings-pp-cli binary using npx -y @mvanhorn/printing-press-library or go install github.com/mvanhorn/printing-press-library/library/devices/withings/cmd/withings-pp-cli@latest. These resources are hosted under the author's own GitHub account and NPM scope.
  • [DATA_EXFILTRATION]: The CLI tool includes a --deliver webhook:<url> feature that allows the agent to POST command results to an external URL. Additionally, the tool features a feedback mechanism that can transmit locally stored logs to a remote endpoint if the WITHINGS_FEEDBACK_ENDPOINT environment variable is set.
  • [COMMAND_EXECUTION]: The skill operates by executing the withings-pp-cli binary via shell commands, utilizing arguments provided by the agent to perform health data analysis.
  • [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it ingests external health data (from the Withings API) that is subsequently processed by the agent. Ingestion points: Withings health metrics retrieved via API. Boundary markers: The skill does not define specific delimiters or instructions to ignore potential commands within the health data. Capability inventory: The skill triggers shell subprocesses via the CLI tool. Sanitization: No data sanitization or validation of API responses is documented.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 10:53 AM
Security Audit — agent-trust-hub — pp-withings