crypto-news-store
Fail
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
news_store.pyallows for the execution of arbitrary shell commands by leveraging theCRYPTO_NEWS_EMBED_CMDenvironment variable. - Evidence: In
news_store.py, theembedfunction retrieves a command string fromos.environ.get("CRYPTO_NEWS_EMBED_CMD")and executes it usingsubprocess.run(cmd, shell=True, input=text.encode(), ...). This configuration allows the system to run any command available in the shell, using the text of ingested news articles as input, which can be exploited for code execution if the environment is misconfigured. - [COMMAND_EXECUTION]: The skill uses subprocess calls to coordinate between its fetcher and storage components, including a risky
shell=Trueexecution. - Evidence:
news_fetch.pyexecutes thenews_store.pyscript usingsubprocess.run. More critically,news_store.pyusesshell=Truein its embedding logic, which is a known security risk when dealing with dynamic command strings. - [EXTERNAL_DOWNLOADS]: The skill downloads data from multiple external cryptocurrency news RSS feeds.
- Evidence:
news_fetch.pyspecifies a list of well-known news sources includinghttps://decrypt.co/feed,https://cointelegraph.com/rss,https://www.coindesk.com/arc/outboundfeeds/rss/,https://www.theblock.co/rss.xml, andhttps://bitcoinmagazine.com/feed. The content from these feeds is fetched using theurllib.requestlibrary. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of external, untrusted news data that is subsequently utilized in its internal logic.
- Ingestion points: RSS feed title and description fields are parsed in
news_fetch.py. - Boundary markers: None present. The fetched data is parsed as XML and stored in a database without delimiters or warnings to ignore embedded instructions.
- Capability inventory: Shell command execution via
CRYPTO_NEWS_EMBED_CMDinnews_store.pyand local file system access via SQLite. - Sanitization: Basic HTML tag stripping and text normalization are performed, but these measures do not prevent malicious natural language instructions from influencing the agent's behavior if it later processes the stored events.
Recommendations
- HIGH: Downloads and executes remote code from: unknown (check file) - DO NOT USE without thorough review
Audit Metadata