bazi
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches astrological data from the API at yoebao.com. This network communication is essential for the tool to calculate and return the Four Pillars of Destiny results.\n- [COMMAND_EXECUTION]: The script bazi.py uses subprocess.run to execute the system's curl command. The inputs for the URL (gender and timestamp) are derived through strict parsing and validation in the Python code, which prevents command injection vulnerabilities.\n- [PROMPT_INJECTION]: The skill contains a surface for indirect prompt injection by processing data from an external API.\n
- Ingestion points: Data is received from the yoebao.com API and parsed as JSON in bazi.py.\n
- Boundary markers: The output does not use specific delimiters to distinguish between the skill's instructions and the external data returned.\n
- Capability inventory: The skill has permissions to execute the curl command and perform date/time calculations.\n
- Sanitization: The script parses specific fields from the JSON response (bazi, yuns, xiangbei) but does not explicitly sanitize the text content before printing it to the agent context.
Audit Metadata