Skills
skills/hubblevision/hubble-data-service-skill/cn-market/Gen Agent Trust Hub

cn-market

Fail

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill includes a hardcoded API key (123456) within the AUTH variable. Hardcoding scalar values for credentials in instructions is a high-risk practice.
  • [COMMAND_EXECUTION]: The skill utilizes curl commands to perform network requests, granting the agent shell-level execution capabilities for data retrieval.
  • [DATA_EXFILTRATION]: The skill performs network operations to an external IP address (43.167.234.49) that is not included in the recognized whitelisted domains.
  • [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it ingests and processes untrusted data from an external API. 1. Ingestion points: API responses from http://43.167.234.49:3101/api/v2/. 2. Boundary markers: No delimiters or ignore instructions are present to separate API content from agent instructions. 3. Capability inventory: Shell execution via curl. 4. Sanitization: No evidence of data validation or content filtering was found in the skill instructions.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 8, 2026, 02:51 PM