Skills
skills/mvanhorn/printing-press-library/pp-company-goat/Gen Agent Trust Hub

pp-company-goat

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads a CLI tool (company-goat-pp-cli) from the author's GitHub repository (github.com/mvanhorn/printing-press-library) using the Go toolchain.
  • [REMOTE_CODE_EXECUTION]: The skill suggests installation via npx -y @mvanhorn/printing-press and go install, which involves downloading and executing code from the vendor's package registry and repository.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to run the company-goat-pp-cli binary with user-provided arguments.
  • [DATA_EXFILTRATION]: The CLI tool supports a --deliver webhook:<url> flag, allowing users or agents to send command output to external HTTP endpoints. A feedback command also exists for sending data to a remote server.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection.
  • Ingestion points: Data is fetched from external sources (SEC, GitHub, HN, YC) in SKILL.md through CLI calls.
  • Boundary markers: None identified in the prompt templates.
  • Capability inventory: Uses the Bash tool for command execution in SKILL.md.
  • Sanitization: No sanitization of external data is specified.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 01:28 AM