detect-shanghai-silver-stock-drain
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill utilizes the
webdriver_managerlibrary withinscripts/explore_ceic.pyandscripts/explore_shfe.pyto download executable binaries (chromedriver) at runtime from external sources. - REMOTE_CODE_EXECUTION (HIGH): The skill script automatically executes the downloaded
chromedriverbinary via the Selenium framework. This pattern allows for the execution of arbitrary code if the download source or the binary itself is compromised, which is a high risk for skills not originating from trusted developers. - COMMAND_EXECUTION (LOW): The skill's workflows (
workflows/fetch-data.md) instruct the user or agent to execute shell commands, includingpip installfor several third-party libraries and executing local Python scripts to perform data fetching tasks. - INDIRECT_PROMPT_INJECTION (LOW): The skill possesses a surface for indirect prompt injection as it ingests and processes untrusted data from external websites (ceicdata.com, shfe.com.cn) and PDF reports from SGE.
- Ingestion points:
scripts/explore_ceic.py,scripts/explore_shfe.py, andscripts/fetch_sge_stock.pyvia web requests and PDF parsing. - Boundary markers: Absent; there are no specific markers or instructions to the LLM to ignore potentially malicious instructions embedded in the scraped data.
- Capability inventory: The skill can execute subprocesses (scripts), write to the local filesystem (
data/directory), and perform network operations via Selenium. - Sanitization: The skill relies on structural parsing (e.g.,
pdfplumber,BeautifulSoup), but does not perform explicit sanitization of the content before it might be presented to the agent context.
Recommendations
- AI detected serious security threats
Audit Metadata