trader-regime
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill performs an automated installation of the 'neural-trader' package from the public npm registry if it is not found locally. Although the command includes the '--ignore-scripts' flag to prevent execution of malicious lifecycle scripts (like preinstall or postinstall) during the download phase, the package remains an external dependency from a source not explicitly categorized as trusted.
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute shell commands using 'npx' to run the 'neural-trader' utility. This tool is invoked with user-supplied arguments (ticker symbols), which involves running third-party code within the local execution environment.
- [PROMPT_INJECTION]: The skill utilizes data ingestion tools, specifically 'mcp__claude-flow__memory_search' and 'mcp__claude-flow__neural_predict'. These components retrieve historical data and external prediction results which could potentially harbor indirect prompt injection strings if the source data (e.g., historical market analysis or technical indicator strings) is compromised or contains adversarial instructions designed to influence the agent's behavior.
Audit Metadata