signal-postmortem
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches historical price data from the Financial Modeling Prep (FMP) API at
financialmodelingprep.com. This is a well-known service for financial data. - [CREDENTIALS_UNSAFE]: The skill requires an API key (
FMP_API_KEY) to fetch data. It correctly instructs the user to provide this via environment variables or command-line arguments rather than hardcoding secrets in the source code. - [DATA_EXFILTRATION]: Transmits the user-provided API key to the official service domain at
financialmodelingprep.comto authenticate price data requests. This is expected behavior for using this service. - [PROMPT_INJECTION]: The skill creates a feedback loop that processes performance data to influence downstream components like the signal aggregator weights. This constitutes an indirect prompt injection surface.
- Ingestion points: Reads signal records from JSON files provided via
--signals-fileor found in the signals directory. - Boundary markers: No specific delimiters or instructions to ignore embedded content are used when processing signal data.
- Capability inventory: The skill has the ability to write JSON, YAML, and Markdown reports to the file system and make network GET requests to a financial API.
- Sanitization: Signal data is parsed using standard JSON libraries without additional content sanitization.
Audit Metadata