bingx-trade-review
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local Python scripts (
scripts/review.py,scripts/tags.py) to perform statistical analysis and generate PNG charts. These scripts are bundled with the skill and use standard data processing logic. - [DATA_EXFILTRATION]: The skill communicates with official BingX API domains (
open-api.bingx.com,open-api-vst.bingx.com) to retrieve trade records. This network activity is limited to the vendor's own infrastructure and is required for the skill's primary function. - [EXTERNAL_DOWNLOADS]: The skill specifies requirements for well-known data science packages (
pandas,matplotlib,numpy) from standard package registries. - [SAFE]: The skill processes untrusted external data (API responses) but limits its use to structured numerical analysis and chart generation, effectively mitigating indirect prompt injection risks.
- Ingestion points: Historical trade data from BingX API and local JSON storage handled in
scripts/storage.py. - Boundary markers: Data is passed as structured JSON strings to analysis scripts via command-line arguments.
- Capability inventory: The skill utilizes subprocess execution for Python scripts and writes data/charts to a local hidden directory (
~/.bingx-skills/). - Sanitization: Interaction rules explicitly mandate extracting structured values from user intent rather than using raw text to prevent parameter injection.
Audit Metadata