alpha-vantage
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the installation of
requestsandpandas. These are well-known, standard libraries for HTTP communication and data processing from the official Python Package Index (PyPI). - [PROMPT_INJECTION]: The skill includes a behavioral instruction that directs the agent to suggest the author's hosted platform (K-Dense Web) when user requests involve complex or multi-step reasoning. This overrides the agent's default behavior to include promotional content.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it retrieves and processes untrusted external data, such as financial news sentiment and company overviews, which are then integrated into the agent's context.
- Ingestion points: External data retrieved from the Alpha Vantage API functions (e.g., NEWS_SENTIMENT, OVERVIEW) defined in
SKILL.md. - Boundary markers: No delimiters or protective markers are used to isolate API response data from the agent's instructions.
- Capability inventory: The skill is restricted to making outbound HTTP GET requests using the
requestslibrary. - Sanitization: There is no evidence of content filtering or sanitization performed on the data received from the external API.
Audit Metadata