portfolio-manager
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill is a legitimate tool designed for investment portfolio analysis, leveraging the Alpaca brokerage platform via the Model Context Protocol (MCP). It follows standardized procedures for financial data retrieval and reporting.
- [SAFE]: Documentation in the setup guide correctly identifies security risks associated with API keys and provides best-practice recommendations, such as using environment variables and setting configuration file permissions to 'chmod 600'.
- [COMMAND_EXECUTION]: The skill includes instructions for executing local scripts to test API connectivity and generates markdown reports to the local filesystem. These operations are restricted to the local environment and are consistent with the skill's functional purpose.
- [PROMPT_INJECTION]: The skill ingests untrusted market data and news from external web sources. This constitutes an indirect prompt injection surface; however, the impact is limited as the data is primarily used for report generation and does not influence sensitive system operations.
Audit Metadata