plan-execute
Pass
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's workflow instructions direct the agent to execute local Python scripts by interpolating raw user input into shell commands (e.g.,
python3 scripts/get_context.py "<ユーザー入力>"). This practice is a best-practice violation that could lead to shell command injection if a user provides malicious input designed to escape the command string. - [PROMPT_INJECTION]: The skill ingests untrusted data from both user inputs and external sources like WebSearch results and yfinance, processing them through an autonomous multi-agent pipeline. It lacks explicit boundary markers or sanitization, creating a surface for indirect prompt injection.
- Ingestion points: User-provided goals in Phase 1 and 2, and WebSearch/yfinance results retrieved during autonomous research in Phase 4.
- Boundary markers: The skill does not define specific delimiters or instructions to treat external data as untrusted content, increasing the risk that the agent may follow instructions embedded within that data.
- Capability inventory: The skill can execute multiple local scripts (
run_portfolio.py,run_research.py, etc.), read configuration files (user_profile.yaml), and perform network operations through tools. - Sanitization: There is no description of input validation or escaping mechanisms to protect against malicious payloads in the external data or user input.
Audit Metadata