trading-analysis
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill design relies on ingesting external data from Yahoo Finance, which creates an attack surface for indirect prompt injection.
- Ingestion points: Real-time market data fetched via the Yahoo Finance API (File: SKILL.md).
- Boundary markers: Absent; the documentation does not specify the use of delimiters or 'ignore' instructions for the ingested data stream.
- Capability inventory: The skill is capable of writing Markdown reports, JSON data, and image files to the local
reports/directory. - Sanitization: No mention of data validation or sanitization routines for the external API responses.
- [No Code] (SAFE): The provided skill files consist solely of documentation (
SKILL.md) and metadata (metadata.json). No executable Python, JavaScript, or shell scripts were present for analysis. - [Data Exposure] (SAFE): The skill references requiring an Anthropic API key in a
.envfile for operation. While this involves sensitive data, the analyzed files contain no instructions or code patterns to exfiltrate or improperly access this credential.
Audit Metadata