Skills
skills/jsoncodechina/wind-skills/wind-find-finance-skill/Gen Agent Trust Hub

wind-find-finance-skill

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions direct the AI to run a local Node.js script (scripts/check-updates.mjs) to check for updates to the skill catalog or the skill itself.
  • [EXTERNAL_DOWNLOADS]: The AI is instructed to provide the user with installation commands that fetch and install code from the vendor's repositories on GitHub (github.com/Wind-Information-Co-Ltd/wind-skills) and Gitee.
  • [COMMAND_EXECUTION]: The skill recommends global installation and update commands (using the -g flag) which may affect the user's broader system environment or other AI agents.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes skill descriptions from a local catalog file to generate recommendations.
  • Ingestion points: The AI reads references/skills-catalog.md to identify relevant tools for the user.
  • Boundary markers: Absent; the instructions do not specify delimiters or warnings to ignore potential instructions embedded in the catalog data.
  • Capability inventory: The skill can execute the update check script and recommends the execution of package installation commands to the user.
  • Sanitization: None; the content from the catalog is used directly in the AI's response generation process.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 06:24 AM
Security Audit — agent-trust-hub — wind-find-finance-skill