actual-budget-assistant
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructions direct the agent to construct shell commands by interpolating user-provided values (like account names and dates) directly into command-line arguments (e.g.,
node scripts/list-transactions.js --account="[USER_INPUT]"). This pattern is highly susceptible to command injection. If a user provides an input likeBCA" ; rm -rf / ; ", the agent may execute the malicious command sequence. - [PROMPT_INJECTION] (HIGH): This skill exhibits a high risk of Indirect Prompt Injection (Category 8).
- Ingestion points: Data enters the agent's context from the Actual Budget API (transactions, account names, categories) and from direct user queries.
- Boundary markers: There are no instructions for the agent to use delimiters or to ignore instructions embedded within the budget data.
- Capability inventory: The skill uses shell command execution via Node.js scripts to interact with the system.
- Sanitization: There is no mention of sanitizing or escaping the data fetched from the API or the parameters provided by the user before they are passed to the shell.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the installation of an external Node.js package
@actual-app/api. While this is a legitimate library for the 'Actual Budget' software, it is not on the pre-approved trusted source list and represents an unverifiable dependency that the skill relies on for core functionality. - [NO_CODE] (MEDIUM): The logic for querying the budget is contained in scripts within a
scripts/directory (e.g.,list-accounts.js,list-transactions.js) which are not provided for analysis. It is impossible to verify if these scripts handle data securely or contain further vulnerabilities.
Recommendations
- AI detected serious security threats
Audit Metadata