btc-momentum-analyzer
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The scripts
quick_test.shandtest.shexecute system commands to run Python processes and pass data between them, which could be exploited if input parameters are not properly validated. - DYNAMIC_EXECUTION (MEDIUM): Use of Python 'here-docs' (
python3 << 'EOF') inquick_test.shand string execution (python3 -c) intest.shinvolves running code generated or embedded at runtime. This pattern is used for dynamic logic assembly which can bypass static security analysis. - EXTERNAL_DOWNLOADS (LOW): The skill is designed to interact with the OKX API (via the referenced
fetch_btc_data.py) to download market data. While targeting a legitimate service, this creates an external dependency and an entry point for untrusted data. - DATA_EXPOSURE (LOW): Multiple files (
README.md,QUICKSTART.md,quick_test.sh,test.sh) contain hardcoded absolute paths (/Users/adrian/Desktop/BA/MACD/). This exposes the local file system structure of the author/user and limits the portability of the skill. - INDIRECT_PROMPT_INJECTION (LOW): The skill processes external financial data to generate trading advice, creating a surface for indirect injection.
- Ingestion points: Market data is fetched from the OKX API through the
scripts/fetch_btc_data.pyscript. - Boundary markers: No boundary markers or specific 'ignore embedded instructions' warnings are present in the provided scripts.
- Capability inventory: The skill can execute shell scripts, run Python code, and perform network requests.
- Sanitization: No explicit sanitization or validation logic for the external API response data is present in the provided script files.
Audit Metadata