indicator-dashboard
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill operates within the expected bounds of a technical analysis dashboard builder. All external references are to well-known libraries and local templates.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool to run the generated dashboard applications (e.g., 'python app.py' or 'streamlit run app.py'). This is an intended and documented functionality of the skill.\n- [DATA_EXFILTRATION]: The generated code is instructed to load '.env' files using 'find_dotenv()'. While this involves accessing potentially sensitive configuration files, it is the standard and necessary method for retrieving API credentials for financial data providers.\n- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by interpolating user-provided symbols and types into the generated Python code.\n
- Ingestion points: User input via $ARGUMENTS ($0 for dashboard type, $1 for symbol).\n
- Boundary markers: None specified in the instructions for the generated script.\n
- Capability inventory: The skill possesses 'Write' permissions to create executable Python files and 'Bash' permissions to run them.\n
- Sanitization: No explicit sanitization or validation of the symbol or type input is described in the instruction set, relying on the agent's code generation logic.
Audit Metadata