crypto-ta-analyzer
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The
CLAUDE.mdtesting instructions facilitate downloading data fromapi.coingecko.com. While relevant to the skill, the example code explicitly disables SSL certificate verification (ssl.CERT_NONE), which is a poor security practice that exposes the data fetch to Man-in-the-Middle (MITM) attacks. - [COMMAND_EXECUTION] (LOW): The documentation provides a
python3 -cone-liner for testing. While this is a standard developer practice, executing arbitrary strings via shell is a capability that should be monitored. - [PROMPT_INJECTION] (LOW): Category 8: The skill ingests untrusted market data from an external API via
scripts/coingecko_converter.py. There is a theoretical surface for indirect prompt injection if the agent interprets malicious data in the price fields as instructions. \n - Ingestion points:
scripts/coingecko_converter.py(prepare_analysis_data). \n - Boundary markers: Absent. \n
- Capability inventory: Restricted to numeric computation using
numpyandpandas. No high-risk file-write or network-send capabilities based on processed data. \n - Sanitization: Uses standard
json.loadsparsing.
Audit Metadata