nba-data
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions prompt the agent to install the 'sports-skills' Python package from PyPI if it is not already present on the system.
- [COMMAND_EXECUTION]: The skill's primary functionality is delivered through the 'sports-skills' CLI tool, which is invoked via shell commands to fetch NBA data.
- [COMMAND_EXECUTION]: A helper script, 'scripts/validate_params.sh', is included to perform validation of command-line arguments such as dates and team IDs before the main CLI tool is executed.
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it ingests untrusted data from external ESPN news feeds and game summaries. This data is then processed within the agent's context. Additionally, user-provided parameters like 'season' or 'team_id' are interpolated directly into shell commands without explicit sanitization instructions in the main prompt, although a validation script is provided in the skill package.
Audit Metadata