USMetrics
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes a mandatory requirement to execute a shell command (
curl) targetinghttp://localhost:8888/notifyimmediately upon invocation. This command is executed in the background and is intended for status notifications, but it represents unprompted local network activity. - [PROMPT_INJECTION]: A 'Customization' section in the main skill file instructs the agent to load and apply resources (such as
PREFERENCES.md) from a specific local path (~/.claude/skills/PAI/USER/SKILLCUSTOMIZATIONS/USMetrics/) which 'override default behavior'. This mechanism creates an attack surface where local files can influence or redirect the agent's logic. - [EXTERNAL_DOWNLOADS]: The skill's scripts fetch economic data from well-known services including the Federal Reserve Economic Data (FRED) API, the Energy Information Administration (EIA) API, and the U.S. Treasury's FiscalData API. These connections are consistent with the skill's stated purpose of economic indicator analysis.
Audit Metadata