Skills
skills/hubblevision/hubble-data-service-skill/us-kline/Gen Agent Trust Hub

us-kline

Pass

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: SAFEDATA_EXFILTRATIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The skill performs network requests using curl to a raw IP address (43.167.234.49). Communicating with external servers via IP addresses rather than verified domain names increases the risk of interacting with unverified or malicious infrastructure.\n- [CREDENTIALS_UNSAFE]: A hardcoded API key (123456) is provided in the AUTH header configuration. Hardcoding credentials in skill instructions is a security risk, even if they are intended as placeholders.\n- [INDIRECT_PROMPT_INJECTION]: The skill ingests data from an external API, which presents a risk of indirect prompt injection if the API returns malicious content.\n
  • Ingestion points: Stock market data from http://43.167.234.49:3101/api/v2/usstock/stocks (SKILL.md).\n
  • Boundary markers: Absent. The skill provides no delimiters or instructions to treat the API response as untrusted data.\n
  • Capability inventory: The skill uses curl for network access (SKILL.md).\n
  • Sanitization: Absent. No evidence of data validation or sanitization is present.\n- [COMMAND_EXECUTION]: The skill includes shell commands in its installation metadata (cp -r ...) and usage examples (curl ...). Executing shell commands provided in skill instructions can be risky if not properly reviewed by the user.
Audit Metadata
Risk Level
SAFE
Analyzed
May 8, 2026, 02:51 PM