finance-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core function of processing external documents.
- Ingestion points:
scripts/extract_pdf_data.py(line 14) andscripts/analyze_finances.py(line 15) ingest untrusted data from PDFs and CSVs. - Boundary markers: Absent. There are no delimiters or 'ignore' instructions to prevent the agent from obeying commands embedded within financial transactions.
- Capability inventory: The extracted data directly influences the agent's 'Budget Recommendations' (scripts/analyze_finances.py, line 85), which could be manipulated to lead the agent into performing unsafe actions or providing malicious financial advice.
- Sanitization: Absent. Data is extracted and passed to the analysis engine without filtering or escaping.
- COMMAND_EXECUTION (MEDIUM): The workflow relies heavily on the agent executing local Python scripts via the shell. If the agent is tricked into using malicious filenames or if the scripts are manipulated, it could lead to unauthorized file access or command injection.
- EXTERNAL_DOWNLOADS (LOW):
SKILL.mdrecommends installingpdfplumberandpandasusing the--break-system-packagesflag. While these are trusted packages, this installation method is a poor security practice that can compromise system integrity. - NO_CODE (MEDIUM): The script
scripts/generate_report.pyis missing from the file list despite being a central part of the 'Complete Workflow' described inSKILL.md. Its absence prevents a full audit of how the HTML reports (which load external CDNs) are actually constructed.
Recommendations
- AI detected serious security threats
Audit Metadata