crypto-token-screener
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute a bundled Python script to gather data.
- Evidence: The
SKILL.mdinstructions explicitly direct the agent to runpython3 skills/crypto-token-screener/scripts/screen.pywith various arguments. - Execution Method: The script is executed locally using the system's Python interpreter or a specified virtual environment path.
- [EXTERNAL_DOWNLOADS]: The Python script performs network operations to retrieve market data from external services.
- Evidence: The script
scripts/screen.pyusesurllib.requestto fetch JSON data fromapi.llama.fi(DefiLlama) andapi.coingecko.com(CoinGecko). - Context: These are well-known technology services in the cryptocurrency domain and are used as intended for the skill's primary purpose.
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill performs network operations but does not access sensitive user data.
- Evidence: The script fetches public financial data. It does not access environment variables, credential files, or private user directories. Use of public APIs with no authentication tokens is considered a safe pattern.
- [INDIRECT_PROMPT_INJECTION]: The skill processes data from external APIs which constitutes an injection surface.
- Ingestion points:
scripts/screen.pyingests JSON data from the DefiLlama and CoinGecko APIs. - Boundary markers: None explicitly used in the script output table; the agent parses the stdout table directly.
- Capability inventory: The agent has the capability to write the analysis results to a markdown file (
crypto/next-hype-candidates.md). - Sanitization: The script strictly parses numeric and string fields from the JSON response, significantly limiting the risk of executable instructions being passed through the API data.
Audit Metadata