stock-analyzer
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The skill instructs the user to install
yahooqueryvia pip. This is a well-known, legitimate library for financial data retrieval and does not originate from a suspicious source. - [PROMPT_INJECTION] (LOW): The skill processes untrusted external data from Yahoo Finance, SEC EDGAR, and corporate Investor Relations pages. This establishes a surface for Indirect Prompt Injection (Category 8).
- Ingestion points: Yahoo Finance API, SEC EDGAR submissions, and various Investor Relations websites.
- Boundary markers: No explicit boundary markers or 'ignore' instructions are mentioned in the documentation for handling ingested text.
- Capability inventory: The skill performs file-system writes (
--save,--out) and generates Markdown/JSON reports based on ingested data. - Sanitization: No sanitization or validation logic is described for the content retrieved from external URLs.
- [COMMAND_EXECUTION] (SAFE): The skill defines local commands (
analyze-stock,analyze-value) and modifies the system PATH. These are standard operations for tool integration and no malicious shell injection patterns were found in the instructional text.
Audit Metadata