Skills
skills/kirkluokun/awesome-a-stock-openclawskills/trade-signal/Gen Agent Trust Hub

trade-signal

Fail

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/search.sh script is vulnerable to Python code injection. The $QUERY variable is expanded directly into a Python command string using triple quotes ('''$QUERY'''). An attacker can use triple quotes in their input to break out of the string literal and execute arbitrary Python commands on the system.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface.
  • Ingestion point: scripts/search.sh fetches data from https://terminal-x.ai/api/lite-search.
  • Boundary markers: Absent.
  • Capability inventory: The skill can execute local commands via scripts/search.sh.
  • Sanitization: Absent. Malicious content in the API response could potentially exploit the agent's logic or the command injection bug.
  • [EXTERNAL_DOWNLOADS]: The skill fetches financial data from https://terminal-x.ai, which is the official homepage for the service.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 03:26 AM