earnings-call-insights
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (LOW): The setup instructions in README.md and references/mcp-setup.md direct the user to run 'npx -y octagon-mcp', which downloads and executes the latest version of an external package from npm at runtime. It also suggests a piped shell command for Homebrew installation.
- Indirect Prompt Injection (LOW): The skill processes untrusted external data (earnings call transcripts). There is a risk that malicious instructions could be embedded in these transcripts to influence the agent.
- Evidence Chain (Category 8): 1. Ingestion point: Earnings call transcripts analyzed via Octagon MCP. 2. Boundary markers: None present in the prompt templates. 3. Capability inventory: Uses tools provided by the 'octagon-mcp' server to perform extraction and sentiment analysis. 4. Sanitization: No sanitization of input data is mentioned or performed.
Audit Metadata