detect-palladium-lead-silver-turns
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The skill utilizes standard, reputable Python packages for financial analysis such as yfinance, pandas, and scipy. It fetches price data from public sources like Yahoo Finance and Stooq, which is appropriate for its stated purpose.
- [COMMAND_EXECUTION] (SAFE): The workflows involve executing local Python scripts using shell commands and managing periodic monitoring via APScheduler or cron. This is standard behavior for an automation and monitoring skill.
- [DATA_EXFILTRATION] (LOW): The monitoring workflow includes code to send notifications to Telegram and Discord. While these utilize non-whitelisted domains (api.telegram.org), they are used strictly for alerting the user as per the skill's primary function. No evidence of secret exfiltration was found.
- [PROMPT_INJECTION] (LOW): The skill processes financial data from external sources (yfinance and stooq.com), which represents an indirect prompt injection surface. Evidence Chain: 1. Ingestion points: Numerical price data fetched from Yahoo Finance and Stooq. 2. Boundary markers: Not explicitly defined in the provided code snippets. 3. Capability inventory: Subprocess execution for scripts and requests.post for network-based alerts. 4. Sanitization: Standard data cleaning using pandas (ffill, dropna).
Audit Metadata