pp-NSE India
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches and installs the
nse-india-pp-cliandnse-india-pp-mcptools usingnpxfrom the@mvanhornnpm scope andgo installfrom thegithub.com/mvanhornrepository.\n- [COMMAND_EXECUTION]: The skill utilizes theBashtool to execute thense-india-pp-clibinary for tasks such as fetching quotes, analyzing delivery spikes, and calculating portfolio performance.\n- [DATA_EXFILTRATION]: The CLI includes a--deliver webhook:<url>feature that allows the tool to POST its output (which may include data from local holdings files) to an external HTTP endpoint. This is a documented functionality of the vendor's tool.\n- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection due to the processing of external data sources.\n - Ingestion points: Retrieves live NSE quotes, exchange filings, and corporate announcements from the market, and reads user-provided CSV holdings files (SKILL.md).\n
- Boundary markers: No explicit delimiter or instructions to ignore embedded commands are present in the skill instructions.\n
- Capability inventory: The skill has access to the
BashandReadtools, allowing for command execution and file system access.\n - Sanitization: There is no evidence of sanitization or validation of the content retrieved from external market data sources before it is presented to the agent.
Audit Metadata