dcf-model
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill directs the agent to execute Python scripts for essential model maintenance, specifically
recalc.pyfor formula recalculation (part of the platform's infrastructure) and a local scriptscripts/validate_dcf.pyto check for logical errors and formula inconsistencies in the generated Excel files. - [EXTERNAL_DOWNLOADS]: The skill retrieves financial data from well-known external sources using the
yfinanceandrequestslibraries. This is a core functionality necessary for obtaining current stock prices, beta values, and historical financial statements for companies. - [PROMPT_INJECTION]: The skill contains a vulnerability surface for indirect prompt injection because it ingests untrusted data from the web.
- Ingestion points: Untrusted data enters the agent's context through financial lookups via the
yfinancelibrary and general web searches specified in the data retrieval phase ofSKILL.md. - Boundary markers: Absent. The instructions do not define delimiters or provide warnings for the agent to ignore instructions potentially embedded in external data.
- Capability inventory: The skill possesses capabilities for writing Excel files (
openpyxl), making network requests (requests), and executing local commands (recalc.pyandvalidate_dcf.py). - Sanitization: Absent. The skill lacks instructions or logic to sanitize, escape, or validate external content before it is incorporated into the modeling process or final output.
Audit Metadata