hot_topics_selector
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to indirect prompt injection via news data retrieved from external platforms. 1. Ingestion points: 'scripts/fetch_news_content.py' retrieves text from arbitrary URLs which is then processed by the agent. 2. Boundary markers: There are no delimiters or 'ignore instructions' warnings in the prompts for Phase 1 or Phase 3. 3. Capability inventory: The agent's output in Phase 1 is used as an argument for a shell command in Phase 2, and the final output is used for financial investment guidance. 4. Sanitization: Only basic HTML tag removal is performed; there is no filtering for malicious instructions in the news text.
- COMMAND_EXECUTION (MEDIUM): The skill executes shell commands using indices generated by the agent in the previous step. While the provided script validates these as integers, the architectural pattern of passing agent-generated strings directly to shell arguments is a high-risk practice.
- EXTERNAL_DOWNLOADS (LOW): The Python scripts use the 'requests' library to fetch data from untrusted external URLs, creating a network dependency on unverified sources.
Recommendations
- AI detected serious security threats
Audit Metadata