Skills
skills/hubblevision/hubble-data-service-skill/cn-realtime-quote/Gen Agent Trust Hub

cn-realtime-quote

Pass

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: SAFEDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill performs outbound network requests using curl to a non-whitelisted IP address (43.167.234.49:3101) to retrieve financial data.
  • [CREDENTIALS_UNSAFE]: The documentation and examples in SKILL.md contain a hardcoded dummy API key (123456). While likely a placeholder, hardcoding keys in skill instructions is a poor security practice.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and displays data from an external API that could be manipulated by an attacker who gains control of the endpoint.
  • Ingestion points: API responses from http://43.167.234.49:3101/api/v2/cnstock/securities defined in SKILL.md.
  • Boundary markers: Absent; there are no instructions for the agent to treat the external JSON data as untrusted or to ignore instructions embedded within the data fields.
  • Capability inventory: Network access via curl to retrieve external content.
  • Sanitization: No explicit validation or sanitization logic is provided to verify the integrity of the data returned by the API before processing it.
Audit Metadata
Risk Level
SAFE
Analyzed
May 8, 2026, 02:50 PM