edge-candidate-agent
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security issues detected. The skill implements its stated financial analysis and research functions using standard developer tools and libraries.
- [COMMAND_EXECUTION]: The scripts auto_detect_candidates.py and validate_candidate.py utilize subprocess.run to interface with local utilities (uv) and user-specified LLM commands. These executions are managed without the use of a shell and employ shlex.split or repr-based interpolation to mitigate command injection risks.
- [PROMPT_INJECTION]: The skill processes market data and user hints to generate strategy tickets, presenting a surface for indirect prompt injection. However, the skill uses safe parsing methods (PyYAML safe_load) and does not exhibit any behavior indicating susceptibility to malicious instruction override. Ingestion points: auto_detect_candidates.py (OHLCV, hints, news, futures). Boundary markers: None. Capability inventory: Subprocess execution, filesystem writes. Sanitization: Safe YAML loading.
Audit Metadata