portfolio-monitor
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses the
yfinancelibrary to retrieve financial data (market prices, 200-day moving averages, and 52-week highs) from Yahoo Finance. This is a well-known service used for the skill's primary intended purpose of portfolio monitoring. - [COMMAND_EXECUTION]: The skill executes a local Python script (
scripts/portfolio_monitor.py) that performs data processing and generates reports. The script's operations are transparent and limited to reading local CSV files, fetching market data via a standard library, and writing markdown files to the local directory. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes external data from a CSV file (e.g.,
Price_FlagandNext_Stepcolumns). However, the risk is mitigated by the script's use of specific regex patterns that look for numerical price levels preceded by a '$' symbol. The agent is also instructed to treat the output as notification-only and to quote trigger text verbatim for human verification. - Ingestion points: Data enters the system via
stocks/portfolio-review.csv. - Boundary markers: The output report uses markdown table formatting and code blocks to clearly separate data from instructions.
- Capability inventory: The skill performs network data retrieval and local file I/O.
- Sanitization: Trigger parsing is restricted to specific regex matches, although descriptive text is quoted verbatim into the resulting markdown report.
Audit Metadata