The Agent Skills Directory

Prompt Injection (SAFE): The skill instructions in SKILL.md and documentation files are strictly focused on financial calculations. No behavioral overrides, safety bypasses, or system prompt extraction patterns were found.
Data Exposure & Exfiltration (SAFE): No hardcoded credentials, sensitive file paths (e.g., .ssh, .env), or network operations (e.g., curl, requests) were detected in the Python script or documentation.
Obfuscation (SAFE): All code and text are in clear text. No suspicious Base64, zero-width characters, or homoglyph-based evasion techniques were identified.
Remote Code Execution & Dependencies (SAFE): The Python script scripts/kelly_calculator.py uses only standard library modules (sys, argparse, math, json). No runtime installation of external packages or remote script execution (e.g., curl | bash) is present.
Privilege Escalation & Persistence (SAFE): There are no commands related to sudo, chmod, or modification of system configuration files (e.g., .bashrc, systemd) that would indicate attempts to gain higher privileges or maintain access.
Indirect Prompt Injection (SAFE): While the skill ingests user-provided financial data (win rates, returns), it lacks exploitable capabilities. The Python script performs pure mathematical calculations and outputs text/JSON without executing any downstream commands or modifying the environment.

kelly-position