mmt-api-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Prompt Injection (SAFE): The skill contains purely technical documentation and implementation rules. No attempts to manipulate agent behavior or bypass safety filters were detected.
- Data Exposure & Exfiltration (SAFE): API keys are handled using variable placeholders or environment variables. All network requests are directed to the legitimate API endpoint (mmt.gg).
- Obfuscation (SAFE): No evidence of Base64, zero-width characters, or other encoding techniques intended to hide malicious content was found.
- Unverifiable Dependencies & Remote Code Execution (SAFE): The skill recommends well-established libraries such as httpx, websockets, and cbor2. No remote script execution (e.g., piped curl commands) is present.
- Privilege Escalation & Persistence (SAFE): No commands for modifying system permissions or establishing persistence (e.g., cron jobs, startup scripts) were found.
- Indirect Prompt Injection (LOW): The skill provides instructions for ingesting structured market data (OHLC, stats). While this is an external data surface, the structured nature of the data (mostly numbers) and the intended use case pose a negligible risk.
- Dynamic Execution (SAFE): No use of dangerous functions like eval() or exec() on untrusted data was found.
Audit Metadata