calculadora-cdi
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches the current CDI rate from the official API of the Banco Central do Brasil (BCB) and the well-known financial website melhorcambio.com. These are trusted and well-known sources in the financial context.
- [COMMAND_EXECUTION]: The skill executes a local Python script
scripts/cdi.pyto perform financial calculations. Parameters are passed from user input but are sanitized within the script via type casting (float/int) using the argparse library. - [DATA_EXPOSURE_&_EXFILTRATION]: No sensitive data access or exfiltration patterns were detected. Network activity is limited to retrieving public financial indices.
- [INDIRECT_PROMPT_INJECTION]: The skill ingests data from external websites to obtain the CDI rate. The risk is minimized because the script uses strict regex patterns and mandatory conversion to numeric types (float) for the fetched data, preventing the injection of executable instructions into the agent's context.
- Ingestion points:
scripts/cdi.py(fetches HTML/JSON from external URLs). - Boundary markers: The skill instructions specify that the agent should only return a markdown table.
- Capability inventory: Execution of a local Python script; network access via
urllibto specific financial domains. - Sanitization: The script explicitly converts external string data into floats using
float(match.group(1).replace(",", "."))orfloat(dados[0]["valor"])before any further processing.
Audit Metadata