clawshire-financial-analysis
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill makes network requests to api.clawshire.cn to upload PDF documents and retrieve analysis results.
- [DATA_EXFILTRATION]: User-provided financial documents (PDFs) are transmitted to the external ClawShire service for processing.
- [COMMAND_EXECUTION]: A Python script (financial_analysis_client.py) is used to facilitate API interactions and report generation, requiring execution in the agent environment.
- [PROMPT_INJECTION]: The skill exhibits a potential surface for indirect prompt injection as it processes untrusted PDF data through a remote service and interpolates the results into a local HTML report. (1) Ingestion points: Analysis results retrieved from the ClawShire API in financial_analysis_client.py. (2) Boundary markers: None identified in the client-side script. (3) Capability inventory: Network access for data transmission and file system access for writing reports. (4) Sanitization: No sanitization is applied to the API response data before it is embedded into the generated HTML report template.
Audit Metadata