scanning-market-movers
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it fetches and displays untrusted data (such as coin names and symbols) from the CoinGecko API without sanitization. If an attacker controls the metadata of a scanned asset, they could potentially inject instructions into the agent's context. \n
- Ingestion points: Data is fetched from the CoinGecko markets endpoint in
scripts/analyzer.py. \n - Boundary markers: No delimiters or warnings are used to wrap the external data in the formatted output produced by
scripts/formatters.py. \n - Capability inventory: The skill has permissions for
Bash(python:*),Write, andReadtools. \n - Sanitization: There is no evidence of string escaping or validation for content retrieved from the API before it is processed or displayed. \n- [DATA_EXFILTRATION]: Documentation in
references/implementation.mdsuggests that the agent should read API credentials from a local file (config/crypto-apis.env). While the code does not automate this, such instructions increase the risk of credential exposure if an agent reads and subsequently leaks the file content in its responses. \n- [COMMAND_EXECUTION]: The skill usessys.path.insertinscripts/analyzer.pyto dynamically load modules from a sibling directory (market-price-tracker). This relies on relative path assumptions which, while intended for local dependency management, represents a form of dynamic code loading that could be exploited if the directory structure is manipulated.
Audit Metadata