company-analyzer
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface.\n
- Ingestion points: The
scripts/fetch_data.shscript fetches thelongBusinessSummary(company description) from the Yahoo Finance API.\n - Boundary markers: Prompt templates in
scripts/run-framework.shinterpolate this data into prompts labeled as 'Raw Data' but lack strict delimiters or system-level instructions to ignore embedded commands.\n - Capability inventory: The skill executes local bash scripts and performs network operations via
curl.\n - Sanitization: No sanitization is performed on retrieved descriptions before LLM processing.\n- [SAFE]: Network operations are limited to well-known and trusted financial data providers including SEC EDGAR, Yahoo Finance, and Alpha Vantage.\n- [SAFE]: No hardcoded secrets were found; API keys are retrieved from local configuration files.
Audit Metadata