strikeradar
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Data Exposure & Exfiltration (LOW): The script makes network requests to
api.usstrikeradar.comto fetch strike probability data. While this is the intended functionality, the domain is not on the pre-approved whitelist for secure network operations. - Indirect Prompt Injection (LOW): The skill processes news headlines and data from an external API, which creates a surface for potential instruction injection if the source content is compromised or contains adversarial instructions.
- Ingestion points: Remote data is retrieved from
https://api.usstrikeradar.com/api/dataandhttps://api.usstrikeradar.com/api/pulsewithinscripts/strikeradar.ts. - Boundary markers: Absent. The script formats output for the agent as JSON or plain text but does not utilize delimiters to isolate untrusted external content from system instructions.
- Capability inventory: The skill lacks dangerous capabilities such as local filesystem modification, subprocess spawning, or dynamic code evaluation. It is restricted to network read and standard output operations.
- Sanitization: Absent. The script passes raw string data from the API directly to the output buffer without escaping or filtering.
- External Downloads (LOW): The skill relies on
npx tsxfor execution, which triggers a download of thetsxpackage from the npm registry if it is not already present in the user's environment.
Audit Metadata