xvary-stock-research
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill implementation demonstrates high security standards and contains no malicious patterns, obfuscation, or persistence mechanisms.
- [DATA_EXFILTRATION]: The skill makes network requests to fetch data from well-known financial services including sec.gov, yahoo.finance.com, finviz.com, and stooq.com. These operations are consistent with the skill's stated purpose and do not involve access to or transmission of sensitive local data.
- [PROMPT_INJECTION]: The skill processes data from external SEC filings and financial websites, creating a surface for indirect prompt injection. 1. Ingestion points: Data enters the agent context via tools/edgar.py (SEC company facts) and tools/market.py (Yahoo/Finviz quotes). 2. Boundary markers: The instructions do not define explicit delimiters for ingested data. 3. Capability inventory: The skill utilizes network access via requests.get in Python scripts. 4. Sanitization: Financial data is sanitized by casting extracted values to float types (using _to_float), which prevents non-numeric instruction leakage through the primary data fields.
Audit Metadata