portfolio-manager
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from the Alpaca API and CSV files without explicit sanitization or boundary markers. * Ingestion points: Fetches positions via Alpaca MCP tools and manual CSV uploads in SKILL.md and README.md. * Boundary markers: None specified to delimit external data. * Capability inventory: Writes detailed analysis reports to the local file system as described in SKILL.md. * Sanitization: No input validation or escaping for the processed financial data is mentioned.
- [EXTERNAL_DOWNLOADS]: Relies on standard libraries like requests and alpaca-trade-api for API connectivity which are well-known resources.
- [CREDENTIALS_UNSAFE]: Provides instructions for users to store sensitive Alpaca API credentials in environment variables and local configuration files such as .bashrc and config.ini to enable service integration.
Audit Metadata