improve-openbb-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is vulnerable to Category 8 (Indirect Prompt Injection) as it ingests untrusted data to perform high-privilege write operations.\n
- Ingestion points: User-provided error descriptions, trial-and-error observations in the OpenBB Workspace, and user requests to "fix the skill".\n
- Boundary markers: Absent. No delimiters are used to wrap or sanitize the user-provided improvements before they are added to files or PR bodies.\n
- Capability inventory: The skill uses
git pushandgh pr create, providing the agent with the ability to publish content to a public external repository (OpenBB-finance/backends-for-openbb).\n - Sanitization: Absent. Untrusted content is directly interpolated into the target files and GitHub PR metadata.\n- Data Exposure & Exfiltration (MEDIUM): The skill copies local files from
.claude/skills/and pushes them to a remote public repository. This creates a data exfiltration vector where local skill definitions or potentially sensitive configurations could be publicly exposed if the agent is manipulated into selecting the wrong files or if the skill folder contains sensitive data.\n- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill clones a repository from a source (OpenBB-finance/backends-for-openbb) that is not on the [TRUST-SCOPE-RULE] trusted list. While it does not directly execute scripts from the repo, interacting with untrusted repositories is a risk factor for multi-stage attacks.\n- Command Execution (LOW): The skill relies on shell command execution (gh,git,cp). The instructions use template placeholders like{description}inside shell command strings, which is a best-practice violation and could lead to command injection if the agent does not properly escape the input.
Recommendations
- AI detected serious security threats
Audit Metadata