trading-analyzer
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill ingests untrusted external content via market intelligence tools.
- Ingestion points: The
yahoo-finance-server.get_ticker_newstool fetches external headlines and articles for sentiment analysis. - Boundary markers: No specific boundary markers or delimiters for external content are mentioned in the tool calling logic.
- Capability inventory: The agent has the ability to call multiple market tools (
mcporter call) and generate summary reports based on ingested data. - Sanitization: Documentation lacks mention of sanitization or filtering for the external news content.
- [Dynamic Execution] (MEDIUM): The extension documentation explicitly encourages users to add new code files to an
analyzers/directory which are then registered in the routing logic, implying dynamic loading of local scripts at runtime. - [Unverifiable Dependencies] (LOW): The skill relies on several third-party MCP servers (
tradingview-mcp,alphavantage,yahoo-finance-server) and themcporterutility, which are not listed as trusted sources.
Audit Metadata