The Agent Skills Directory

[COMMAND_EXECUTION]: The script crypto-monitor.sh contains a code injection vulnerability. In the get_metals function, the variables gold, silver, and prev_gold are interpolated directly into command strings for python3 -c and bc. For example, the command python3 -c "... .get('gold', $gold) ..." constructs a Python script using the raw value of the $gold variable. Since this variable can be populated by external API responses or the update command, a malicious input could escape the intended logic to execute arbitrary Python or shell commands on the host system.
[EXTERNAL_DOWNLOADS]: The skill retrieves real-time financial data from several external services, including CoinGecko (api.coingecko.com), Yahoo Finance (query1.finance.yahoo.com), ExchangeRate-API (api.exchangerate-api.com), and GoldAPI (www.goldapi.io). These external requests are used to fetch the pricing information displayed by the skill.

crypto-gold-monitor