wolt

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill provides instructions to download and install the wolt-pp-cli binary using npx from the @mvanhorn/printing-press-library package and go install from the author's GitHub repository github.com/mvanhorn/printing-press-library. These are vendor-owned resources used for the skill's primary function.
  • [COMMAND_EXECUTION]: The skill relies on the Bash tool to execute the wolt-pp-cli utility for various operations including city listing, restaurant searching, and menu retrieval.
  • [DATA_EXFILTRATION]: The CLI tool includes a --deliver webhook:<url> feature that allows the output of any command to be sent to an external HTTP endpoint. It also includes a feedback command that can optionally transmit data to an external server defined by the WOLT_FEEDBACK_ENDPOINT environment variable.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted external data from Wolt's APIs, such as restaurant names and menu item descriptions.
  • Ingestion points: Data enters the context via the output of list-restaurants-near, search, and menu show commands in SKILL.md.
  • Boundary markers: The instructions do not define delimiters or specific safety warnings to the agent regarding the processing of retrieved external content.
  • Capability inventory: The skill has access to the Bash tool and can write to the local filesystem via the --deliver file:<path> flag.
  • Sanitization: There is no explicit sanitization or filtering of the external API content before it is processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 01:37 PM
Security Audit — agent-trust-hub — wolt