pp-NSE India

Pass

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches and installs the nse-india-pp-cli and nse-india-pp-mcp tools using npx from the @mvanhorn npm scope and go install from the github.com/mvanhorn repository.\n- [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute the nse-india-pp-cli binary for tasks such as fetching quotes, analyzing delivery spikes, and calculating portfolio performance.\n- [DATA_EXFILTRATION]: The CLI includes a --deliver webhook:<url> feature that allows the tool to POST its output (which may include data from local holdings files) to an external HTTP endpoint. This is a documented functionality of the vendor's tool.\n- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection due to the processing of external data sources.\n
  • Ingestion points: Retrieves live NSE quotes, exchange filings, and corporate announcements from the market, and reads user-provided CSV holdings files (SKILL.md).\n
  • Boundary markers: No explicit delimiter or instructions to ignore embedded commands are present in the skill instructions.\n
  • Capability inventory: The skill has access to the Bash and Read tools, allowing for command execution and file system access.\n
  • Sanitization: There is no evidence of sanitization or validation of the content retrieved from external market data sources before it is presented to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 17, 2026, 04:07 PM
Security Audit — agent-trust-hub — pp-NSE India