industry-research

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses a custom Go binary named 'researcher' to manage research workspaces, generate plans, and perform data retrieval. This binary is compiled locally and used to execute structured research tasks.
  • [EXTERNAL_DOWNLOADS]: The 'researcher' CLI tool interfaces with external APIs for data retrieval, specifically Bocha (bocha.cn) for web search and Volcengine (volces.com, a ByteDance service) for model-based answers. These requests are authenticated via user-provided API keys in environment variables and are used to gather research data.
  • [DATA_EXFILTRATION]: While the skill communicates with external APIs, it does so to fulfill its primary purpose of market research. It sends research queries to established providers and does not attempt to access or exfiltrate sensitive local files such as credentials or SSH keys.
  • [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from the web (via search results and URL scraping). To mitigate this inherent attack surface, it implements a robust 'Evidence Delta Protocol' and an adversarial workflow where multiple agents (Red Team, Blue Team, and Arbitrator) cross-verify findings against physical business traces (e.g., POI data, hiring records, and business registrations).
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 03:15 AM
Security Audit — agent-trust-hub — industry-research