coingecko
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICAL
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): Network requests are directed to legitimate CoinGecko API endpoints (api.coingecko.com and pro-api.coingecko.com) for market data.
- [CREDENTIALS_UNSAFE] (SAFE): The skill correctly uses environment variables (process.env.COINGECKO_API_KEY) for API authentication. No hardcoded credentials were detected.
- [PROMPT_INJECTION] (SAFE): The skill handles data from an external API, creating a theoretical surface for Indirect Prompt Injection. However, it specifically parses numerical price data using parseFloat(), which sanitizes the input and prevents execution of embedded instructions. 1. Ingestion point: examples/token-prices/get-token-price.ts via fetchApi. 2. Boundary markers: Absent. 3. Capability inventory: Limited to network requests (fetch). 4. Sanitization: Numeric parsing of price data.
- [FALSE_POSITIVE] (SAFE): The automated URL scanner alert for 'this.ca' is a false positive caused by the TypeScript variable 'this.calls' in docs/troubleshooting.md.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata