Skills
skills/october-academy/agent-plugins/trend-scout/Gen Agent Trust Hub

trend-scout

Pass

Audited by Gen Agent Trust Hub on Mar 23, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/fetch-trends.sh builds Python commands by interpolating shell variables (${LIMIT}) into strings passed to python3 -c. This creates a code injection risk if the agent passes unsanitized user input as script arguments.
  • [EXTERNAL_DOWNLOADS]: The skill fetches public data from reddit.com and hacker-news.firebaseio.com for analysis and curation.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from external sources and incorporates it into content generation workflows.
  • Ingestion points: Data retrieved from Reddit, Hacker News, and Indie Hackers via scripts and search tools.
  • Boundary markers: None; there are no clear delimiters or instructions to treat external data as untrusted text.
  • Capability inventory: The skill's primary function is text curation; it does not invoke high-privilege tools or perform file/network operations based on the ingested content.
  • Sanitization: The skill does not filter or sanitize the external data before it is presented to the language model for curation.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 23, 2026, 03:06 AM