Skills
skills/ninehills/skills/alphaear-predictor/Gen Agent Trust Hub

alphaear-predictor

Warn

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The files scripts/utils/predictor/evaluation.py and scripts/kronos_predictor.py use torch.load to load model weights. While kronos_predictor.py attempts to use the secure weights_only=True flag, it includes a fallback mechanism that reverts to legacy loading if an error occurs. Legacy torch.load is vulnerable to arbitrary code execution through malicious pickle payloads.
  • [COMMAND_EXECUTION]: The DatabaseManager class in scripts/utils/database_manager.py provides an execute_query method that allows the execution of arbitrary SQL commands. While primarily used for local data management, this interface could be abused for unauthorized database manipulation if the agent constructs queries using unsanitized user or external input.
  • [EXTERNAL_DOWNLOADS]: The skill automatically fetches pre-trained models and tokenizers from the HuggingFace Hub repository (e.g., NeoQuasar/Kronos-base). While HuggingFace is a reputable service, the specific repository is not a verified vendor, introducing a supply-chain risk.
  • [DATA_EXFILTRATION]: The skill utilizes the Jina Search API (s.jina.ai) and other search engines in scripts/utils/search_tools.py. It transmits user queries and potentially market context to these external services to retrieve news and data.
  • [PROMPT_INJECTION]: Instructions in scripts/prompts/fin_agent.py and scripts/prompts/trend_agent.py use strong imperatives (e.g., 'You must...', 'Strictly follow...') to control agent behavior. These patterns are typical targets for override-style prompt injections.
  • [DATA_EXPOSURE]: The skill exposes an attack surface for Indirect Prompt Injection as it ingests untrusted data from web search results (Jina, Baidu, DuckDuckGo) without dedicated sanitization layers for instructions hidden in news content.
  • Ingestion points: External news content and search snippets via SearchTools.search_list.
  • Boundary markers: Absent; external content is interpolated directly into prompts without delimiters or instructions to ignore embedded commands.
  • Capability inventory: Network access (requests.get), local database access (sqlite3), and model loading (torch.load).
  • Sanitization: Absent for inbound external data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 7, 2026, 05:57 PM