open-market-data
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Unverifiable Dependencies] (MEDIUM): The skill installs the Node.js package 'open-market-data' from an untrusted repository (anotb/open-market-data) that is not part of the trusted organization list. This presents a supply chain risk if the package is compromised.
- [Indirect Prompt Injection] (LOW): The skill has a significant attack surface for indirect injection by processing data from numerous external financial APIs.
- Ingestion points: Fetches data from SEC EDGAR, Yahoo Finance, Binance, CoinGecko, FRED, Finnhub, Alpha Vantage, and World Bank.
- Boundary markers: Absent; the documentation does not specify the use of delimiters or warnings to ignore instructions embedded in the API responses.
- Capability inventory: The skill uses the 'Bash' tool to execute 'omd' commands, allowing for structured data retrieval and potential manipulation of local state via 'omd config'.
- Sanitization: Absent; there is no mention of escaping or validating the financial data (such as company descriptions or news) before it is returned to the agent context.
- [Command Execution] (LOW): The skill relies on the 'Bash' tool to interface with the installed binary, which is the primary method of operation but increases the impact of any potential package compromise.
Audit Metadata