yield-opportunities
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The script
scripts/compare-protocols.shis vulnerable to command injection via theawkcommand. The variableTOTAL_APYis derived from an external API response usingjqand then interpolated directly into anawkscript:awk "BEGIN {printf \"%.2f\", ${TOTAL_APY}/${TOTAL_COUNT}}". If the API (DefiLlama) returns a malicious string in theapyfield, it could result in arbitrary code execution on the user's system. - [DATA_EXFILTRATION] (MEDIUM): The
scripts/compare-protocols.shscript supports an--exportparameter that writes results to a user-provided file path:echo -e "$CSV_DATA" > "$EXPORT_FILE". This lack of path validation allows for arbitrary file writes, which could be used to overwrite sensitive system configurations or user files if the agent is manipulated into using a dangerous path. - [EXTERNAL_DOWNLOADS] (LOW): The skill intentionally downloads DeFi yield data from
yields.llama.fi. While this is the core functionality, the use of unauthenticated and unsanitized data in downstream shell operations creates the high-severity risks identified. - [PROMPT_INJECTION] (LOW): The skill possesses a surface for indirect prompt injection.
- Ingestion points: Data is fetched via
curlinscripts/compare-protocols.shandrequestsinscripts/fetch-defillama-yields.py. - Boundary markers: Absent. The data is parsed but not delimited or guarded against instruction injection.
- Capability inventory: The skill can execute subprocesses (
jq,awk) and write to the filesystem (>). - Sanitization: Absent. External data from the API is directly printed and used in commands, allowing malicious metadata to influence the agent.
- Ingestion points: Data is fetched via
Recommendations
- AI detected serious security threats
Audit Metadata