equity-researcher

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses internal Python scripts to generate financial charts and validate report structures. Specifically, scripts/embed_charts.py invokes scripts/chart_generator.py using subprocess.run(). This is a standard architectural choice for isolating data visualization tasks and is executed without elevated privileges.- [EXTERNAL_DOWNLOADS]: The skill fetches financial data from well-known and reputable services including Yahoo Finance, iFind, and Tianyancha. It also references the Mermaid.js library from a trusted CDN (jsDelivr) to render industry chain diagrams. These operations are consistent with the skill's core purpose of investment research.- [DATA_EXPOSURE_AND_EXFILTRATION]: While the skill performs network operations to retrieve financial data, no patterns of exfiltrating sensitive user credentials or accessing restricted system files were detected. The data ingested (stock prices, filings, news) is public financial information.- [DYNAMIC_EXECUTION]: The workflow involves generating a temporary HTML file for rendering Mermaid diagrams via Playwright. This technique is used to bypass the lack of JavaScript execution in PDF generators and is a routine method for producing static diagrams in document automation.- [INDIRECT_PROMPT_INJECTION]: The skill processes data from external web searches and APIs. While this creates a theoretical attack surface, the risk is mitigated by the use of structured templates (Research Document, Analysis Brief) and specific logic-based processing. The potential for malicious instructions embedded in financial data to manipulate the agent is considered low and within standard operational bounds.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 05:29 AM
Security Audit — agent-trust-hub — equity-researcher