Skills
skills/scientiacapital/skills/data-analysis/Gen Agent Trust Hub

data-analysis

Warn

Audited by Gen Agent Trust Hub on Feb 23, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (MEDIUM): The functions export_chart and export_all_for_presentation in reference/chart-gallery.md accept filename and output_dir as inputs and use them directly in file system operations (Path.mkdir, fig.write_image). This lack of validation allows for potential path traversal attacks where a malicious user could overwrite sensitive files.\n- [PROMPT_INJECTION] (LOW): The kpi_card function in reference/chart-gallery.md is vulnerable to indirect injection because it embeds raw input data into HTML strings without sanitization.\n
  • Ingestion points: The label, value, and delta arguments in the kpi_card function in reference/chart-gallery.md.\n
  • Boundary markers: None present.\n
  • Capability inventory: File-write capabilities via plotly export functions in reference/chart-gallery.md.\n
  • Sanitization: None; input values are directly concatenated into an HTML template.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 23, 2026, 02:25 AM