Skills
skills/brycewang-stanford/auto-empirical-research-skills/fiscal-briefing/Gen Agent Trust Hub

fiscal-briefing

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's initialization preamble executes several local binary scripts such as econstack-update-check and econstack-learnings-read. These files reside in ~/.claude/skills/econstack/bin/, which is outside the skill's own directory, making their internal logic unverifiable from the skill's source code.
  • [REMOTE_CODE_EXECUTION]: The instruction eval "$(~/.claude/skills/econstack/bin/econstack-slug)" uses eval on the output of a script. This is a dangerous pattern that executes the script's output directly as shell commands, which could lead to arbitrary code execution if the script is compromised or produces malicious output.
  • [EXTERNAL_DOWNLOADS]: The skill recommends that the user install the debtkit R package directly from a third-party GitHub repository (charlescoverdale/debtkit) which is not an official or well-known trusted source.
  • [EXTERNAL_DOWNLOADS]: The skill suggests cloning an external data repository (econstack-data) from a third-party GitHub user (charlescoverdale) to enable full parameter support, posing a supply chain risk.
  • [DATA_EXFILTRATION]: The skill implements an update check mechanism and a 'learnings' logging system (econstack-learnings-log) that tracks user insights and project details. This implies network activity for updates and the collection of potentially sensitive contextual information from the agent's session.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests large volumes of data from external government APIs and local files to generate its briefings.
  • Ingestion points: Reads core fiscal indicators from various agencies including ONS, HMRC, HMT, OBR, BEA, Treasury, CBO, OMB, ABS, and PBO. It also ingests local fact files and parameters from ~/econstack-data/parameters/.
  • Boundary markers: While the skill uses a structured output template and enforces citation discipline, it lacks explicit boundary markers or instructions to the agent to ignore any embedded commands within the fetched data.
  • Capability inventory: The skill has access to Bash for executing shell commands and fetching data, and Write for creating report files.
  • Sanitization: There is no evidence of input validation or sanitization for the data retrieved from external sources before it is processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 11:31 AM
Security Audit — agent-trust-hub — fiscal-briefing