Skills
skills/aaaaqwq/agi-super-skills/football-data/Gen Agent Trust Hub

football-data

Fail

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill references an external GitHub repository https://github.com/machina-sports/sports-skills.git for package installation, which is not included in the trusted vendors list.- [REMOTE_CODE_EXECUTION]: The setup instructions utilize pip install to download and install code from a remote Git repository. This allows the execution of unverified external code within the agent's environment.- [COMMAND_EXECUTION]: The skill relies on executing the sports-skills CLI tool to perform various football data retrieval tasks.- [PROMPT_INJECTION]: The skill exhibits vulnerability to indirect prompt injection.
  • Ingestion points: Data is ingested from multiple external sources including ESPN, Understat, FPL, and Transfermarkt via the sports-skills tool (e.g., in get_daily_schedule and get_event_summary).
  • Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands within the ingested data.
  • Capability inventory: The skill possesses the capability to execute shell commands via the sports-skills CLI tool as demonstrated in SKILL.md and scripts/validate_params.sh.
  • Sanitization: Absent; no validation or filtering is applied to the ingested external content to prevent malicious instructions from influencing the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 5, 2026, 07:55 AM