finance-report
Warn
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
tools/ChartKit.pyusessubprocess.runto execute external Python CLI tools located in the project'ssrc/directory. While it uses a list for arguments, the inputs include ticker symbols provided by the user. - [COMMAND_EXECUTION]: Markdown instructions in
workflows/FullResearchWorkflow.mdandworkflows/GenerateSingleReport.mddirect the agent to execute shell commands (e.g.,uv run python src/analysis/risk_metrics_cli.py {TICKER} ...). These commands use ticker symbols as arguments and include shell-level redirections (>), creating a surface for command injection if the ticker symbol provided by the user contains shell metacharacters. - [DATA_EXPOSURE]: The skill reads the
fin-guru/data/user-profile.yamlfile to retrieve theinvestment_portfolio.total_valuefield, which contains sensitive user financial information used to personalize report sizing recommendations. - [PROMPT_INJECTION]: The skill ingests untrusted data from the Perplexity MCP to conduct market research and sentiment analysis, exposing it to indirect prompt injection risks.
- Ingestion points: Data is fetched via
mcp__perplexity__searchandmcp__perplexity__reasoninworkflows/FullResearchWorkflow.mdandworkflows/GenerateSingleReport.md. - Boundary markers: The instructions do not define delimiters or specific warnings to ignore instructions embedded within the research results.
- Capability inventory: The skill has the capability to write files (PDFs), execute shell commands via CLI tools, and launch subagents via the
Tasktool. - Sanitization: There is no evidence of sanitization or filtering for the external content before it is processed into the final analysis.
- [DYNAMIC_EXECUTION]: The
tools/ReportGenerator.pyscript performssys.path.insertat runtime to include the project root, enabling the dynamic loading of modules from outside the skill's specific directory. - [COMMAND_EXECUTION]: The
workflows/RegenerateBatch.mdfile instructs the agent to launch multiple parallel subagents using theTasktool, which involves the dynamic construction and execution of new agent prompts incorporating user input.
Audit Metadata