wolt
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to download and install the
wolt-pp-clibinary usingnpxfrom the@mvanhorn/printing-press-librarypackage andgo installfrom the author's GitHub repositorygithub.com/mvanhorn/printing-press-library. These are vendor-owned resources used for the skill's primary function. - [COMMAND_EXECUTION]: The skill relies on the
Bashtool to execute thewolt-pp-cliutility for various operations including city listing, restaurant searching, and menu retrieval. - [DATA_EXFILTRATION]: The CLI tool includes a
--deliver webhook:<url>feature that allows the output of any command to be sent to an external HTTP endpoint. It also includes afeedbackcommand that can optionally transmit data to an external server defined by theWOLT_FEEDBACK_ENDPOINTenvironment variable. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted external data from Wolt's APIs, such as restaurant names and menu item descriptions.
- Ingestion points: Data enters the context via the output of
list-restaurants-near,search, andmenu showcommands inSKILL.md. - Boundary markers: The instructions do not define delimiters or specific safety warnings to the agent regarding the processing of retrieved external content.
- Capability inventory: The skill has access to the
Bashtool and can write to the local filesystem via the--deliver file:<path>flag. - Sanitization: There is no explicit sanitization or filtering of the external API content before it is processed by the agent.
Audit Metadata