Skills
skills/okikusan-public/stock_skills/investment-note/Gen Agent Trust Hub

investment-note

Pass

Audited by Gen Agent Trust Hub on Mar 25, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and displays content from stored investment notes. If a note contains instructions designed to manipulate the AI, the agent may follow them when listing or viewing note details.\n
  • Ingestion points: The cmd_list function in manage_note.py retrieves data from load_notes, which accesses local data storage.\n
  • Boundary markers: Note content is displayed without delimiters or instructions to ignore embedded instructions.\n
  • Capability inventory: The skill can execute shell commands via Python and interact with the local filesystem via the Bash tool.\n
  • Sanitization: Content undergoes basic markdown escaping for table display, but lacks validation or filtering of prompt-based instructions.\n- [COMMAND_EXECUTION]: The skill's primary entry point in SKILL.md uses direct shell interpolation of the $ARGUMENTS variable. While the allowed-tools configuration Bash(python3 *) restricts execution to the Python interpreter, this remains a surface for potential argument injection if the input is not strictly validated by the platform.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 25, 2026, 08:23 AM