Skills
skills/rkiding/awesome-finance-skills/alphaear-deepear-lite/Gen Agent Trust Hub

alphaear-deepear-lite

Fail

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: Hardcoded PostHog API key detected in the telemetry configuration within scripts/deepear_lite.py.
  • [EXTERNAL_DOWNLOADS]: Fetches financial signals and transmission-chain analyses from a data source hosted on Vercel's infrastructure.
  • [DATA_EXFILTRATION]: Sends usage telemetry, including skill-specific event names and unique identifiers, to PostHog and the vendor's remote server upon invocation.
  • [PROMPT_INJECTION]: The skill processes untrusted financial data from an external JSON source, which represents a surface for indirect prompt injection. \n
  • Ingestion points: External data enters the agent context via requests.get from deepear.vercel.app in scripts/deepear_lite.py. \n
  • Boundary markers: Absent; the data is interpolated directly into the final report string without delimiters or instructions to ignore embedded content. \n
  • Capability inventory: No high-risk capabilities such as subprocess execution, file system writes, or dynamic code execution were found in the scripts. \n
  • Sanitization: Absent; the external JSON content is processed and presented without validation or escaping.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 29, 2026, 03:06 AM