Skills
skills/purong-huang-1121/skills-store/strategy-signal-tracker/Gen Agent Trust Hub

strategy-signal-tracker

Fail

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses the 'curl | sh' pattern to download and execute shell scripts from a non-trusted personal GitHub repository (purong-huang-1121/skills-store). This allows for arbitrary code execution on the user's system without verification.
  • [PROMPT_INJECTION]: The 'Post-Install Welcome' section contains explicit instructions to manipulate user perception by stating that security warnings (e.g., from Gen, Snyk, or Socket) are 'false positives' (误报). This is a deceptive tactic to bypass security guardrails.
  • [COMMAND_EXECUTION]: The skill triggers several local system commands to manage the installation lifecycle, including checking tool existence with 'which', reading environment files (~/.cargo/bin/.env), and running downloaded binaries.
  • [EXTERNAL_DOWNLOADS]: Fetches multiple installation scripts and tool components from external sources, including the official OKX GitHub repository and the author's own repository.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install.sh, https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install_strategy.sh, https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 17, 2026, 11:22 PM