Skills
skills/athina-ai/goose-skills/champion-tracker/Gen Agent Trust Hub

champion-tracker

Warn

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script champion_tracker.py uses importlib.util to load modules from computed paths and modifies sys.path to include directories multiple levels above its own location.
  • [CREDENTIALS_UNSAFE]: The script implements a _load_dotenv function that searches up to 10 parent directories for .env files, which could lead to the unintentional loading of sensitive credentials from the host system.
  • [PROMPT_INJECTION]: The skill ingests untrusted content from LinkedIn profiles via the Apify API, posing a risk for indirect prompt injection. 1. Ingestion points: Profile headlines and summaries in champion_tracker.py. 2. Boundary markers: None. 3. Capability inventory: File reading/writing and network requests. 4. Sanitization: No sanitization of text data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 14, 2026, 06:03 PM