alpha
Audited by Gen Agent Trust Hub on Feb 13, 2026
================================================================================
🟡 VERDICT: MEDIUM
This skill monitors Binance for new cryptocurrency listings. It requires installing an external Python library (websocket-client) from PyPI, which is an unverified source and could potentially be compromised. The skill also makes network requests to Binance's public APIs, which is expected behavior for its stated purpose and does not appear to exfiltrate sensitive local data. The analysis has been performed only on files directly distributed with the skill.
Total Findings: 2
🟡 MEDIUM Findings: • Unverifiable Dependencies
- SKILL.md Line 30, scripts/alpha.py Line 20: The skill instructs the user to install
websocket-clientviapip3 install websocket-client --user. Whilewebsocket-clientis a common and generally trusted library, it is an external dependency downloaded from PyPI, which is not a "Trusted GitHub Organization" in the context of this analysis. This means the integrity of the package cannot be fully verified at analysis time, and a compromised package could introduce vulnerabilities.
🔵 LOW Findings: • Data Exfiltration
- scripts/alpha.py Line 30, 100, 120: The
scripts/alpha.pyfile makes network requests towss://stream.binance.com:9443/ws/!miniTicker@arr(WebSocket) andhttps://api.binance.com/api/v3(REST API). These are legitimate endpoints for the Binance cryptocurrency exchange, which is central to the skill's functionality. The skill does not access or transmit any sensitive local files (e.g.,~/.ssh/id_rsa,~/.aws/credentials). The network activity is confined to interacting with Binance's public APIs as expected.
================================================================================