bus-arrivals-coruna-data
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script scripts/coruna_bus_api.py utilizes the subprocess module to call the system curl utility.
- Evidence: Found in the _fetch_once_curl function.
- Context: This is implemented as a robust fallback mechanism for network requests to handle potential connectivity issues or server-side restrictions that might affect standard Python libraries.
- [EXTERNAL_DOWNLOADS]: The skill performs network requests to external domains to retrieve transport data.
- Evidence: Fetches bus catalogs and real-time arrivals from itranvias.com.
- Context: These requests are necessary for the skill's primary function and target the official service provider.
- [PROMPT_INJECTION]: The skill ingests data from a remote API, which constitutes an indirect prompt injection surface.
- Ingestion points: Remote JSON data is retrieved in scripts/coruna_bus_api.py via the fetch_json function.
- Boundary markers: Absent; data from the API is parsed and used without specific delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill has the ability to perform network operations and execute the curl command.
- Sanitization: The skill relies on standard JSON parsing and does not explicitly sanitize the text content returned by the API provider.
Audit Metadata