fin-core
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill configures a
SessionStarthook insettings.jsonthat executesnpx tsxon a local script (load-fin-core-config.ts) every time a session begins. This constitutes a persistence mechanism that executes code without explicit user consent per session. - [DATA_EXFILTRATION] (MEDIUM): The startup hook is designed to automatically read highly sensitive files, including
user-profile.yaml(containing income and portfolio strategy) and CSV files containing account balances and positions. While relevant to the skill's purpose, the automated ingestion of this data increases the risk of accidental exposure or exfiltration if the agent is compromised. - [PROMPT_INJECTION] (LOW): The
SKILL.mdfile contains a behavioral override labeledCRITICAL: Always execute 'date' command before market research. This is an instruction-level injection intended to force specific agent actions. - [PROMPT_INJECTION] (LOW): Category 8: Indirect Prompt Injection Surface.
- Ingestion points: Reads
fin-guru/config.yaml,fin-guru/data/user-profile.yaml, and dynamically detected.csvfiles innotebooks/updates/. - Boundary markers: None. The hook outputs content as a "formatted system-reminder" without clear delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill has access to multiple Python-based analysis tools (Risk Metrics, Optimizer, etc.) and the ability to execute shell commands (e.g.,
date). - Sanitization: None detected. The script reads and outputs file contents directly into the LLM context.
Audit Metadata