startup-validator
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data which presents an indirect prompt injection surface.
- Ingestion points: External articles and market reports retrieved via the
web_fetchtool as described inSKILL.md. - Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions for fetched content.
- Capability inventory: The skill can execute a bundled Python script (
scripts/market_analyzer.py), write result files to the local system, and perform network read operations viaweb_fetch. - Sanitization: There is no mention of sanitizing or validating external content before it is analyzed by the agent.
- [COMMAND_EXECUTION]: The skill executes a local, bundled Python script (
scripts/market_analyzer.py) to calculate market metrics. The script is called with a local file path as an argument. - [EXTERNAL_DOWNLOADS]: The skill workflow requires the agent to perform 10-15 web searches and fetch full content from third-party websites to gather market intelligence and industry data.
Audit Metadata