opentrade-market
Fail
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to download and pipe a shell script from a remote URL directly into the system shell. This occurs during setup, updates, and error recovery, providing a path for arbitrary code execution if the remote source is compromised.
- Evidence:
SKILL.mdcontainscurl -sSL https://raw.githubusercontent.com/6551Team/openskills/main/skills/opentrade/install.sh | shin the Pre-flight Checks and error handling sections. - [EXTERNAL_DOWNLOADS]: The skill relies on external resources hosted on a third-party domain for its installation and functionality.
- Evidence: Fetches the
install.shscript fromraw.githubusercontent.com. - [COMMAND_EXECUTION]: The skill executes multiple local shell commands to check environment state, read files, and interact with the
opentradeCLI tool. - Evidence: Uses
which,cat,date, and theopentradeCLI itself to perform market data operations and manage cache timestamps.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/6551Team/openskills/main/skills/opentrade/install.sh - DO NOT USE without thorough review
Audit Metadata