Skills
skills/ruvnet/ruflo/trader-cloud-backtest/Gen Agent Trust Hub

trader-cloud-backtest

Warn

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill installs the neural-trader package from the NPM registry during the initialization of the cloud container via the initScript. While the use of the --ignore-scripts flag during installation is a defensive best practice, it still involves the execution of external third-party code.
  • [COMMAND_EXECUTION]: The skill constructs shell commands for the managed agent by directly interpolating user-provided arguments (such as strategy names, tickers, and date ranges) into command strings.
  • Ingestion Points: User arguments from the skill's command interface (e.g., <strategy-or-model>, <TICKER>).
  • Boundary Markers: No delimiters or sanitization logic are present to isolate user input from the shell command structure.
  • Capability Inventory: The managed_agent_prompt tool provides a shell environment within the container, which is configured with networking: "unrestricted".
  • Sanitization: There is no evidence of input validation or shell-escaping before the arguments are passed to the remote environment, which could allow for command injection if malicious strings are provided as arguments.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 20, 2026, 10:52 AM
Security Audit — agent-trust-hub — trader-cloud-backtest