PortfolioSyncing
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill reads sensitive financial information from local CSV files, including
Portfolio_Positions_*.csv,Balances_*.csv, andHistory_for_Account_*.csv. This data, which includes balances and position history, is transmitted to Google Sheets via themcp__gdrive__sheetstool. This behavior is documented and is essential for the skill's functionality. - [COMMAND_EXECUTION]: The skill executes Google Sheets operations using the
mcp__gdrive__sheetstool. It implements safe update patterns by instructing the agent to modify only specific cells (Ticker, Quantity, Cost Basis) while explicitly forbidding range updates that would overwrite or delete calculations and formulas in protected columns. - [PROMPT_INJECTION]: An indirect prompt injection surface is present because the skill processes external CSV files. This risk is managed by the skill's parsing logic, which focuses on extracting specific data points, and the inclusion of 'Safety Gates' (STOP conditions) that halt the workflow and require manual user confirmation if anomalous data is detected, such as a 10% change in quantity or a 20% change in cost basis.
Audit Metadata