lseg-data
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [SAFE]: No malicious code or intentional security vulnerabilities were detected within the skill files.
- [PROMPT_INJECTION]: The skill documentation includes behavioral instructions for the AI agent (e.g., 'IRON LAW') to ensure data validation and quality. These are benign and intended for output reliability.
- [PROMPT_INJECTION]: The news retrieval functionality in 'references/news.md' presents a surface for indirect prompt injection by processing external news headlines and stories.
- Ingestion points: External data is fetched via 'ld.news.get_headlines()' and 'ld.news.get_story()' in 'references/news.md'.
- Boundary markers: Absent. No specific delimiters or instructions are used to separate external news content from the agent's logic.
- Capability inventory: The skill allows data retrieval, network requests to LSEG APIs, and local file operations (writing to CSV/JSON) across 'SKILL.md', 'references/news.md', and 'references/api-discovery.md'.
- Sanitization: Absent. No explicit sanitization or filtering of the external news content is implemented.
- [COMMAND_EXECUTION]: Provides instructions for launching the Refinitiv Workspace app with remote debugging enabled and using 'curl' to monitor localhost traffic for API discovery purposes in 'references/api-discovery.md'. These are standard developer procedures for exploring the platform's internal data structures.
- [EXTERNAL_DOWNLOADS]: Mentions the installation of standard and well-known Python libraries like 'lseg-data', 'refinitiv-data', and 'websockets' from official package registries.
Audit Metadata