watch-my-money
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it processes untrusted merchant descriptions from external files.
- Ingestion points: According to
SKILL.md, the skill ingests data from CSV bank exports and user-pasted transaction text. - Boundary markers: No delimiters or safety instructions are provided to isolate transaction descriptions from the agent's logic.
- Capability inventory: The skill is capable of writing HTML and JSON files to the local filesystem and executing CLI commands.
- Sanitization: The workflow specifies normalization of numeric values but does not describe any sanitization for string-based merchant descriptions to prevent them from influencing agent behavior or injecting malicious HTML.
- [COMMAND_EXECUTION]: The skill's operational model depends on local shell command execution.
- Evidence: Multiple instructions in
SKILL.mdandreferences/budget-templates.mdrequire the agent to invokepython -m watch_my_moneyfor analysis, comparisons, and budget management. - Context: These commands utilize the vendor's own Python module ('sundial-org') to perform the core functions of the skill.
- [EXTERNAL_DOWNLOADS]: The generated report references resources from a well-known service.
- Evidence: The
assets/template.htmlfile fetches font styles from Google's official repository atfonts.googleapis.com.
Audit Metadata