stock-copilot-pro
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXPOSURE]: The skill handles the
QVERIS_API_KEYsecurely. It includes aredactSecretsutility inscripts/lib/output.mjsthat identifies and masks API keys, Bearer tokens, and Authorization headers within any text before it is displayed or logged, preventing accidental credential exposure. - [EXTERNAL_DOWNLOADS]: The skill implements a controlled mechanism for fetching extended data payloads. In
scripts/lib/infra/qveris-client.mjs, theresolveToolPayloadfunction validates remote URLs against a strict allowlist of hosts (defaulting toqveris.ai) and mandates the use of HTTPS, effectively mitigating SSRF and unauthorized data access risks. - [PROMPT_INJECTION]: The skill provides a mechanism to safely render untrusted input via
formatReportifyCustomBlocksSafe. This function identifies specific custom tags and forces their content into fenced code blocks. It uses a dynamic delimiter strategy (calculating the required number of backticks) to ensure that content containing backticks cannot escape the block and execute markdown or HTML injection. - [COMMAND_EXECUTION]: The core logic of the skill is implemented using standard Node.js APIs and does not utilize
eval(),Function(), orchild_processto execute data retrieved from external sources. Interaction with the tool environment is performed via structured HTTP requests to the vendor's API. - [DATA_EXFILTRATION]: Network activity is restricted to the authoritative vendor domain
qveris.ai. The skill does not access sensitive local file paths (such as SSH keys or environment files) for the purpose of external transmission.
Audit Metadata