portfolio-monitor

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses the yfinance library to retrieve financial data (market prices, 200-day moving averages, and 52-week highs) from Yahoo Finance. This is a well-known service used for the skill's primary intended purpose of portfolio monitoring.
  • [COMMAND_EXECUTION]: The skill executes a local Python script (scripts/portfolio_monitor.py) that performs data processing and generates reports. The script's operations are transparent and limited to reading local CSV files, fetching market data via a standard library, and writing markdown files to the local directory.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes external data from a CSV file (e.g., Price_Flag and Next_Step columns). However, the risk is mitigated by the script's use of specific regex patterns that look for numerical price levels preceded by a '$' symbol. The agent is also instructed to treat the output as notification-only and to quote trigger text verbatim for human verification.
  • Ingestion points: Data enters the system via stocks/portfolio-review.csv.
  • Boundary markers: The output report uses markdown table formatting and code blocks to clearly separate data from instructions.
  • Capability inventory: The skill performs network data retrieval and local file I/O.
  • Sanitization: Trigger parsing is restricted to specific regex matches, although descriptive text is quoted verbatim into the resulting markdown report.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 08:15 AM
Security Audit — agent-trust-hub — portfolio-monitor