finance-report

Warn

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script tools/ChartKit.py uses subprocess.run to execute external Python CLI tools located in the project's src/ directory. While it uses a list for arguments, the inputs include ticker symbols provided by the user.
  • [COMMAND_EXECUTION]: Markdown instructions in workflows/FullResearchWorkflow.md and workflows/GenerateSingleReport.md direct the agent to execute shell commands (e.g., uv run python src/analysis/risk_metrics_cli.py {TICKER} ...). These commands use ticker symbols as arguments and include shell-level redirections (>), creating a surface for command injection if the ticker symbol provided by the user contains shell metacharacters.
  • [DATA_EXPOSURE]: The skill reads the fin-guru/data/user-profile.yaml file to retrieve the investment_portfolio.total_value field, which contains sensitive user financial information used to personalize report sizing recommendations.
  • [PROMPT_INJECTION]: The skill ingests untrusted data from the Perplexity MCP to conduct market research and sentiment analysis, exposing it to indirect prompt injection risks.
  • Ingestion points: Data is fetched via mcp__perplexity__search and mcp__perplexity__reason in workflows/FullResearchWorkflow.md and workflows/GenerateSingleReport.md.
  • Boundary markers: The instructions do not define delimiters or specific warnings to ignore instructions embedded within the research results.
  • Capability inventory: The skill has the capability to write files (PDFs), execute shell commands via CLI tools, and launch subagents via the Task tool.
  • Sanitization: There is no evidence of sanitization or filtering for the external content before it is processed into the final analysis.
  • [DYNAMIC_EXECUTION]: The tools/ReportGenerator.py script performs sys.path.insert at runtime to include the project root, enabling the dynamic loading of modules from outside the skill's specific directory.
  • [COMMAND_EXECUTION]: The workflows/RegenerateBatch.md file instructs the agent to launch multiple parallel subagents using the Task tool, which involves the dynamic construction and execution of new agent prompts incorporating user input.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 27, 2026, 09:24 AM