earnings-cost-mgmt
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill directs users to download and install components from
OctagonAI/skillsand theoctagon-mcpnpm package. Neither the GitHub organization nor the npm package is included in the 'Trusted External Sources' list. - REMOTE_CODE_EXECUTION (MEDIUM): The setup instructions specifically recommend running
npx -y octagon-mcp@latest. This command downloads and executes the latest version of the package directly from the npm registry, which could be exploited if the package or its account were compromised. - CREDENTIALS_UNSAFE (LOW): The workflow requires an
OCTAGON_API_KEY. While the documentation correctly uses placeholders (e.g.,YOUR_API_KEY_HERE), users are instructed to include sensitive credentials in plaintext configuration files or environment variables for their AI agent.
Audit Metadata