Skills
skills/coinstatshq/coinstats-cli/coinstats-portfolio/Gen Agent Trust Hub

coinstats-portfolio

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill installs the 'coinstats-cli' package from the Node.js package registry during its setup process.
  • [COMMAND_EXECUTION]: The skill uses a command-line interface to interact with portfolio data, including commands for viewing charts, syncing data, and deleting portfolios.
  • [DATA_EXFILTRATION]: The skill reads from local files './wallet.json' and './transaction.json' to connect wallets and record transactions; while appropriate for the skill's function, this represents access to local file data.
  • [PROMPT_INJECTION]: The skill's ingestion of local JSON files for portfolio management creates a potential surface for indirect prompt injection.
  • Ingestion points: wallet.json and transaction.json files specified in the command arguments in SKILL.md.
  • Boundary markers: The skill does not define specific boundaries or instructions to ignore embedded prompts within the ingested files.
  • Capability inventory: The skill has the ability to execute various subcommands of the 'coinstats' CLI through a bash interface.
  • Sanitization: The skill lacks explicit validation or sanitization routines for the content of the data files it processes.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 10:09 PM
Security Audit — agent-trust-hub — coinstats-portfolio