crypto-news-store

Fail

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script news_store.py allows for the execution of arbitrary shell commands by leveraging the CRYPTO_NEWS_EMBED_CMD environment variable.
  • Evidence: In news_store.py, the embed function retrieves a command string from os.environ.get("CRYPTO_NEWS_EMBED_CMD") and executes it using subprocess.run(cmd, shell=True, input=text.encode(), ...). This configuration allows the system to run any command available in the shell, using the text of ingested news articles as input, which can be exploited for code execution if the environment is misconfigured.
  • [COMMAND_EXECUTION]: The skill uses subprocess calls to coordinate between its fetcher and storage components, including a risky shell=True execution.
  • Evidence: news_fetch.py executes the news_store.py script using subprocess.run. More critically, news_store.py uses shell=True in its embedding logic, which is a known security risk when dealing with dynamic command strings.
  • [EXTERNAL_DOWNLOADS]: The skill downloads data from multiple external cryptocurrency news RSS feeds.
  • Evidence: news_fetch.py specifies a list of well-known news sources including https://decrypt.co/feed, https://cointelegraph.com/rss, https://www.coindesk.com/arc/outboundfeeds/rss/, https://www.theblock.co/rss.xml, and https://bitcoinmagazine.com/feed. The content from these feeds is fetched using the urllib.request library.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of external, untrusted news data that is subsequently utilized in its internal logic.
  • Ingestion points: RSS feed title and description fields are parsed in news_fetch.py.
  • Boundary markers: None present. The fetched data is parsed as XML and stored in a database without delimiters or warnings to ignore embedded instructions.
  • Capability inventory: Shell command execution via CRYPTO_NEWS_EMBED_CMD in news_store.py and local file system access via SQLite.
  • Sanitization: Basic HTML tag stripping and text normalization are performed, but these measures do not prevent malicious natural language instructions from influencing the agent's behavior if it later processes the stored events.
Recommendations
  • HIGH: Downloads and executes remote code from: unknown (check file) - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 16, 2026, 08:03 AM
Security Audit — agent-trust-hub — crypto-news-store