trade-hypothesis-ideator
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script 'scripts/pipeline/strategy_exporter.py' uses 'importlib.util.spec_from_file_location' and 'exec_module' to dynamically load a Python script from a relative directory path ('../../edge-candidate-agent/scripts/candidate_contract.py'). This allows execution of arbitrary code from a location outside the skill's audited package scope.\n- [PROMPT_INJECTION]: The skill ingests untrusted data from JSON bundles that are subsequently interpolated into prompts, creating a surface for indirect prompt injection.\n
- Ingestion points: 'scripts/pipeline/evidence_extractor.py' extracts text from fields such as 'journal_snippets' and 'market_context' within the input JSON bundle for prompt construction.\n
- Boundary markers: The '{{evidence_summary}}' tag in 'prompts/developer_prompt_template.md' is not protected by delimiters or 'ignore' instructions to prevent the LLM from following commands embedded in the evidence data.\n
- Capability inventory: The skill can perform file system operations (writing artifacts) and execute local Python code dynamically via the exporter module.\n
- Sanitization: The validation logic in 'scripts/pipeline/format_output.py' includes checks for specific banned financial phrases but lacks sanitization against common prompt injection attack patterns.
Audit Metadata