Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/tracking-crypto-portfolio/Gen Agent Trust Hub

tracking-crypto-portfolio

Pass

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: SAFE
Full Analysis
  • [DATA_EXPOSURE_&_EXFILTRATION]: The skill performs network requests to the CoinGecko API (api.coingecko.com) to fetch real-time cryptocurrency prices. This is a well-known service and the operations are restricted to fetching public market data. No sensitive local data or credentials are transmitted.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from user-provided portfolio JSON files.
  • Ingestion points: scripts/portfolio_loader.py reads holdings from local JSON files.
  • Boundary markers: The skill treats the input as structured JSON and enforces a strict schema for keys like coin, quantity, and cost_basis.
  • Capability inventory: The skill uses requests for network access (CoinGecko) and writes output to local files (JSON/CSV exports).
  • Sanitization: PortfolioLoader validates and casts input values (e.g., converting quantity to floats) before they are used in calculations or formatted for output, effectively neutralizing injection risks into the processing logic.
  • [EXTERNAL_DOWNLOADS]: The skill requires the requests Python package, which is a standard, well-known library for HTTP operations. It does not download or execute any unknown external scripts.
  • [COMMAND_EXECUTION]: The skill uses scoped Bash tool access (crypto:portfolio-*) to execute its own Python scripts. This implementation follows the principle of least privilege by restricting shell execution to a specific namespace.
Audit Metadata
Risk Level
SAFE
Analyzed
May 12, 2026, 07:05 AM