USMetrics
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill connects to official, well-known government and technology services to retrieve economic data. Specifically, it fetches data from api.stlouisfed.org, api.eia.gov, and api.fiscaldata.treasury.gov. These connections are essential for the skill's stated purpose and target trusted sources.
- [COMMAND_EXECUTION]: The skill uses the Bun runtime to execute local TypeScript tools (e.g., update-substrate-metrics.ts) for data processing. These commands are documented, use local file paths, and are restricted to the skill's own logical scope.
- [DATA_EXFILTRATION]: No sensitive data exposure or exfiltration patterns were identified. A mandatory notification step sends a status update to a local network endpoint (http://localhost:8888/notify) to trigger voice notifications, which is a common pattern for local agent integrations.
- [PROMPT_INJECTION]: The skill processes external data from government APIs to populate its reports. While this creates a theoretical surface for indirect prompt injection, the reliance on trusted, authoritative data providers effectively mitigates this risk in a standard operating context.
Audit Metadata