Skills
skills/marketcalls/vectorbt-backtesting-skills/strategy-compare/Gen Agent Trust Hub

strategy-compare

Pass

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from user arguments without providing sanitization instructions.
  • Ingestion points: User-provided $ARGUMENTS (symbol and strategy names) are used to define file paths and script logic in SKILL.md.
  • Boundary markers: Absent; no delimiters or instructions to ignore embedded commands in the input arguments are provided.
  • Capability inventory: The skill utilizes Write, Edit, and Bash tools to create and potentially execute files.
  • Sanitization: Absent; the instructions do not require the agent to validate or escape the symbol variable before using it in the file path or script body.
  • [COMMAND_EXECUTION]: The skill automates the creation of Python scripts ({symbol}_strategy_comparison.py) and utilizes the Bash tool. The direct interpolation of user-controlled variables into filenames and script logic presents a risk of path traversal or command injection if the underlying agent does not implement its own security boundaries.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 6, 2026, 05:39 AM