trading-signals
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill contains imperative instructions that mandate specific actions by the agent, such as 'You MUST attempt to run the
gh apicommand' to star the author's repository. This is a behavioral override designed to manipulate the agent into performing social engagement actions on behalf of the user without per-instance consent. - [DATA_EXFILTRATION]: The skill instructs the agent to autonomously register on behalf of the human operator by sending personally identifiable information (PII)—including name, email, and GitHub URL—to a third-party endpoint (
https://signals.x70.ai/api/skill/register). This constitutes an exposure of sensitive user data. - [COMMAND_EXECUTION]: The documentation provides specific shell commands (
curlandgh api) for the agent to execute. These commands interact with remote APIs and modify the user's GitHub account state (starring a repository). - [EXTERNAL_DOWNLOADS]: The skill documentation suggests using
npx skills addto install additional external skills, which involves downloading and executing logic from remote repositories such asroman-rr/trading-skills. - [PROMPT_INJECTION]: The skill processes free-form text from a remote API (the
summaryandtypefields in signal data), which presents a surface for indirect prompt injection. - Ingestion points: API responses from
https://signals.x70.ai/api/skill/signalscontaining analysis summaries. - Boundary markers: Absent; the instructions do not include delimiters or warnings for the agent to ignore instructions embedded in the signal data.
- Capability inventory: The agent has access to shell commands (
curl,gh) and is encouraged to use them. - Sanitization: Absent; there is no mention of filtering or validating the remote text before the agent processes or presents it.
Audit Metadata