Skills
skills/cyhzzz/market-breadth-heatmap-skill/market-breadth-heatmap/Gen Agent Trust Hub

market-breadth-heatmap

Pass

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/generate.py uses subprocess.run to invoke a local Node.js utility for capturing screenshots.
  • Evidence: The capture_html function executes the node command with a list of arguments, which is a secure implementation that prevents shell injection.
  • [EXTERNAL_DOWNLOADS]: The skill fetches data from an external API and installs necessary automation dependencies.
  • Evidence: scripts/generate.py fetches market data from sckd.dapanyuntu.com using urllib.request. This is consistent with the skill's purpose as a market data visualizer.
  • Evidence: The skill requires installing the playwright package and its Chromium browser engine via the standard npm and npx commands.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface due to how it handles external data during the rendering process.
  • Ingestion points: Data fetched from the sckd.dapanyuntu.com API is processed and stored in a local HTML file.
  • Boundary markers: Absent; there are no specific markers or instructions to the agent to ignore content within the fetched data.
  • Capability inventory: The skill can execute commands via subprocess.run and use a headless browser (Playwright) which has access to the local filesystem.
  • Sanitization: The skill uses json.dumps for data preparation but injects the resulting string into the HTML template using a simple string replacement inside a script tag. This creates a minor vulnerability where malicious data from the source API could theoretically break out of the script context and execute arbitrary JavaScript during image rendering.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 9, 2026, 03:48 PM