The Agent Skills Directory

[Dynamic Execution] (HIGH): The file scripts/utils/predictor/evaluation.py uses torch.load() without setting weights_only=True. This function uses the pickle module, which is vulnerable to arbitrary code execution if the model file is tampered with or retrieved from an untrusted source. Similarly, scripts/utils/predictor/kline_generate.py loads models from NeoQuasar/Kronos-base using from_pretrained, which involves downloading and executing model code/data from a non-whitelisted remote repository.
[Indirect Prompt Injection] (HIGH): The skill possesses a large attack surface for indirect prompt injection. It retrieves untrusted content from the internet via web_search and fetch_news_content (found in scripts/prompts/fin_agent.py) and interpolates this data directly into sensitive prompts in references/PROMPTS.md. There is a lack of robust sanitization or strict boundary markers, allowing an attacker to manipulate financial reports, ticker weights, and investment predictions by embedding instructions in processed news articles or web pages.
[External Downloads] (MEDIUM): The skill dynamically downloads model weights and tokenizers from the NeoQuasar repository. Since this source is not in the predefined 'Trusted External Sources' list (e.g., HuggingFace is not automatically trusted unless the specific organization is whitelisted), this constitutes a risk of executing untrusted code or using compromised model parameters.
[Data Exposure] (LOW): The skill accesses several API keys (JINA_API_KEY, DEEPSEEK_API_KEY, etc.) from environment variables. While it does not hardcode them, it uses ContentExtractor to send data to https://r.jina.ai/, an external service for content extraction. While Jina is a common tool, users should be aware that their queries and retrieved content are processed by this third-party endpoint.

alphaear-reporter