analyze-rolex-market-index-liquidity-proxy
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill documentation in 'references/data-sources.md' and the PowerShell script 'scripts/start_chrome_debug.ps1' provide commands to launch Google Chrome with the flags '--remote-debugging-port=9222' and '--remote-allow-origins=*'. The use of the wildcard for allowed origins permits any malicious website or script on the system to interact with the browser's DevTools API, allowing for arbitrary control of the browser instance.
- DATA_EXFILTRATION (MEDIUM): By opening the Chrome DevTools protocol to all origins and specifying a user data directory within the user's home profile ('$HOME/.chrome-debug-profile'), the skill creates a significant risk of data exposure. An attacker could use this open port to programmatically extract sensitive browser information, cookies, or authentication tokens if the user navigates to sensitive sites within that session.
- EXTERNAL_DOWNLOADS (LOW): The skill fetches data from the FRED CSV endpoint and scrapes WatchCharts. While these sources are generally trusted, the scraping methodology involves interacting with external DOM elements and global variables, which constitutes an ingestion point for untrusted data. Per [TRUST-SCOPE-RULE], the download of FRED data is downgraded to LOW.
Recommendations
- AI detected serious security threats
Audit Metadata