finlab
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documents the use of
Report.from_pickleinbacktesting-reference.md. Python'spicklemodule is insecure because it can execute arbitrary code when loading data, posing a risk if an attacker provides a malicious file. - [DATA_EXFILTRATION]: The
sim()function inbacktesting-reference.mddefaults toupload=True. This causes backtest results and performance metrics to be sent to the vendor's cloud platform automatically, which could lead to unintended data exposure. - [EXTERNAL_DOWNLOADS]: The skill requires installing several Python packages from PyPI, including
finlab,shioaji, andesun-trade. These are external dependencies that add third-party code to the environment. - [CREDENTIALS_UNSAFE]: In
trading-reference.md, the skill instructs users to store sensitive broker API keys, passwords, and private certificates in environment variables. Improper management of these variables could lead to the exposure of financial account credentials.
Audit Metadata