up-api
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill is distributed via an untrusted GitHub repository (
tcn33/up-banking-api-skill). The installation instructions recommend usingnpxorgit cloneto download and execute code from this unverified source. - COMMAND_EXECUTION (MEDIUM): The primary functionality relies on executing a local Python script (
scripts/up_api.py). This script is not provided in the audit scope, making it impossible to verify if it performs malicious actions, contains vulnerabilities, or handles theUP_API_TOKENsecurely. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The
transactionscommand fetches data from an external API, includingrawText,description, andmessagefields which can be controlled by third parties (e.g., via transaction descriptions or transfer messages). - Boundary markers: The
SKILL.mdfile lacks delimiters or instructions to the agent to ignore or sanitize embedded commands within the fetched transaction data. - Capability inventory: The skill possesses significant capabilities, including network access (API calls), file-writing (implicit in its management of webhooks), and execution of shell commands.
- Sanitization: There is no evidence of data sanitization or validation of the API responses before they are processed by the agent.
- CREDENTIALS_UNSAFE (LOW): The skill requires a sensitive financial API token. While the token is provided via environment variables rather than being hardcoded, the lack of script visibility prevents verification of whether the token is ever logged, cached, or transmitted to unauthorized endpoints.
Audit Metadata