financial-metrics-analysis
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (LOW): The setup instructions for Mac users include a command to install Homebrew using
curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | bash. Although this is the standard installation method for Homebrew, the pattern of piping a remote script to a shell is a potential security risk. - EXTERNAL_DOWNLOADS (LOW): The skill uses
npxto install and run theoctagon-mcpserver and the skill itself. These packages are sourced from the OctagonAI organization, which is not included in the trusted organizations list, making them unverifiable dependencies. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection as it processes data from external financial sources (SEC filings, earnings reports) through the
octagon-agent. Evidence: (1) Ingestion points: Data entering viaoctagon-agenttool output as described inSKILL.md; (2) Boundary markers: Absent in the workflow instructions; (3) Capability inventory: Access tooctagon-agent,octagon-scraper-agent, andoctagon-deep-research-agent; (4) Sanitization: No sanitization or escaping of external content is mentioned.
Audit Metadata