pp-pagliacci

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill instructs agents to fetch and parse live data from the public Pagliacci API (e.g., pagliacci-pp-cli menu slices, menu cache, store list, orders suggestion and customer_feedback get) and explicitly tells agents to run commands in --agent mode and parse .results to drive workflows like orders plan/reorder, so untrusted/public (including user-submitted feedback) content from the Pagliacci site can materially influence tool decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs installing and running remote-install commands at runtime (e.g., npx -y @mvanhorn/printing-press install pagliacci and go install github.com/mvanhorn/printing-press-library/library/food-and-dining/pagliacci/cmd/pagliacci-pp-cli@latest), which fetch and execute remote code and are required if the CLI is installed/used by the agent.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes explicit payment/transaction operations. It includes commands that submit paid orders (cart send_order — "Submit an order. Requires payment information for guests; uses stored payment for authenticated users") and commands to move value between accounts (gifts transfer — "Transfer gift card balance to another account"). These are specific, purpose-built financial actions (sending payments/transferring balances), not generic I/O or navigation tools, so it grants direct financial execution authority.