FinanceReport
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Command Execution (HIGH): The skill constructs shell commands by interpolating the {TICKER} or {ticker} variable directly into strings executed via uv run. In workflows/RegenerateBatch.md and workflows/GenerateSingleReport.md, the ticker variable is placed directly into a command string. A malicious user could provide a ticker like "; command #" to execute arbitrary code on the host system. \n- Indirect Prompt Injection (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). \n
- Ingestion points: Untrusted market research data is ingested from Perplexity via mcp__perplexity__search and mcp__perplexity__reason in workflows/FullResearchWorkflow.md. \n
- Boundary markers: Absent. There are no delimiters or instructions for the agent to ignore embedded commands within the research data. \n
- Capability inventory: The skill can execute shell commands via uv run and write files to the filesystem using ReportGenerator.py. \n
- Sanitization: Absent. Data from external searches is synthesized directly into investment theses and report sections without escaping. \n- Data Exposure (LOW): The skill accesses fin-guru/data/user-profile.yaml to retrieve the user's total portfolio value. While used for legitimate sizing calculations, this exposes personal financial information to the agent context.
Recommendations
- AI detected serious security threats
Audit Metadata