trader-explain
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bash command in Step 2,
npx neural-trader --predict --signal "$SIGNAL_ID" --explain --json, directly interpolates the$SIGNAL_IDvariable which originates from the user-provided<signalId>argument. This creates a potential shell command injection vulnerability if the input is not strictly validated. - [CREDENTIALS_UNSAFE]: The skill instructions specify reading sensitive Ed25519 private keys from the environment variable
RUFLO_WITNESS_KEY_PATHor the file pathverification/witness-key.json. Accessing raw private keys in this manner increases the risk of credential exposure or theft. - [REMOTE_CODE_EXECUTION]: The skill uses
npx neural-traderto perform analysis. This command dynamically fetches and executes code from the npm registry at runtime, which can be exploited if the package is compromised or if a typosquatting attack occurs. - [EXTERNAL_DOWNLOADS]: The use of
npxresults in the download of external software packages during the skill's execution, introducing a dependency on external infrastructure and unverified third-party code. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it processes untrusted data retrieved from the
trading-signalsnamespace: - Ingestion points: Signal data is retrieved from a shared memory namespace via
mcp__claude-flow__memory_retrieveinSKILL.md. - Boundary markers: None; the retrieved data is not enclosed in delimiters or accompanied by instructions to ignore embedded commands.
- Capability inventory: The skill has access to shell execution (
Bash) and persistent memory storage (mcp__claude-flow__memory_store). - Sanitization: There is no mention of sanitizing or validating the retrieved signal data before it is used in calculations or shell commands.
Audit Metadata