footballbin-predictions
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (SAFE): The script connects to an external AWS Lambda endpoint (https://ru7m5svay1.execute-api.eu-central-1.amazonaws.com/prod/mcp) to retrieve match prediction data. This behavior is consistent with the skill's primary function and is clearly documented.\n- COMMAND_EXECUTION (SAFE): Employs standard bash utilities (curl, jq) for network communication and data processing. Input variables are wrapped in quotes, preventing shell command injection. The use of 'set -euo pipefail' follows security best practices for robust script execution.\n- DATA_EXFILTRATION (SAFE): No local files or sensitive system data are accessed. The script only transmits public, user-provided football data (league names, team names) to the API endpoint.\n- INDIRECT_PROMPT_INJECTION (LOW): The skill ingests data from a third-party API response.\n
- Ingestion points: External API response in
scripts/footballbin.sh.\n - Boundary markers: The output is formatted into structured text blocks with visual separators (e.g., box-drawing characters).\n
- Capability inventory: No risky capabilities; the script has no write access to the filesystem and does not pipe remote data into a shell or interpreter.\n
- Sanitization: The script uses jq to safely parse the JSON response, ensuring that only expected fields are processed as text.
Audit Metadata