shipp-sports-data
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [SAFE]: The skill uses environment variables for sensitive API keys, following standard security practices for secret management.- [SAFE]: The required Node.js package (@moonpay/cli) is an official tool provided by the skill's author.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to process data from external feeds to trigger financial actions.
- Ingestion points: Real-time game events and scores retrieved from the Shipp API (
api.shipp.ai). - Boundary markers: None specified in the instruction set or polling loop.
- Capability inventory: Ability to execute buy/sell positions and manage funds via MoonPay CLI commands.
- Sanitization: No data validation or sanitization of the incoming sports events is described.- [CREDENTIALS_UNSAFE]: Some documentation examples illustrate passing the API key as a URL query parameter (
?api_key=$SHIPP_API_KEY), which is a security risk as URLs containing credentials may be stored in plain text within server logs or browser history.
Audit Metadata