tradingview-screener
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The install.sh script downloads standard Python libraries including pandas, pyyaml, and tvscreener from the official Python Package Index (PyPI) to a local virtual environment.
- [REMOTE_CODE_EXECUTION]: The signal_types.py script utilizes pandas.DataFrame.eval() to execute computed signals defined in local YAML configuration files. The implementation includes a defensive layer with a character whitelist (regex) and a keyword blacklist to mitigate the risk of malicious code execution.
- [PROMPT_INJECTION]: The skill processes and displays market data from the TradingView API, creating a potential surface for indirect prompt injection if asset names or descriptions contain malicious instructions. Ingestion points: Data enters the system via the tvscreener library in screen.py and signal_engine.py. Boundary markers: Output data is formatted into markdown tables for presentation to the agent. Capability inventory: No high-risk subprocess or system-level capabilities are exposed to the data processing logic. Sanitization: External text fields are rendered without specific character escaping or filtering.
Audit Metadata