Skills
skills/hubblevision/hubble-data-service-skill/hk-connect/Gen Agent Trust Hub

hk-connect

Pass

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: SAFECREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: A hardcoded API key (123456) is provided in the SKILL.md file within the curl setup instructions. While likely a placeholder, hardcoding credentials in a skill is a security risk.
  • [DATA_EXFILTRATION]: The skill instructions configure the agent to make network requests to an external IP address (43.167.234.49:3101) that is not a recognized well-known service or whitelisted domain.
  • [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by fetching and processing external data from a remote API.
  • Ingestion points: Data is ingested from multiple API endpoints under http://43.167.234.49:3101/api/v2/hkstock/ in SKILL.md.
  • Boundary markers: No delimiters or instructions are provided to the agent to treat the external API response as untrusted data.
  • Capability inventory: The skill uses curl for network data retrieval.
  • Sanitization: No sanitization, validation, or escaping of the external API content is defined.
Audit Metadata
Risk Level
SAFE
Analyzed
May 8, 2026, 02:50 PM