wind-find-finance-skill
Warn
Audited by Gen Agent Trust Hub on May 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute Node.js scripts (
scripts/update-check.mjsandscripts/check-updates.mjs) to perform version checks. It also instructs the agent to execute CLI tools from other skills (e.g.,node <wind-mcp-skill-dir>/scripts/cli.mjs open-portal) when configuration issues are detected. - [REMOTE_CODE_EXECUTION]: The skill is designed to install external code packages from GitHub and Gitee using the
npx skills addcommand. The instructions explicitly mandate that the AI "must directly execute installation" once the user confirms a choice, which results in the download and execution of remote vendor code. - [PROMPT_INJECTION]: The
SKILL.mdcore logic uses highly restrictive directives ("MUST", "Mandatory action", "Hard gate") to control agent behavior. It specifically forbids the AI from using general knowledge, web searches, or other internal tools as fallbacks if a catalog-matching skill is not yet installed. - [PROMPT_INJECTION]: The update checking mechanism presents an indirect injection surface. The scripts scan the current working directory and all parent directories for
skills-lock.jsonor.skill-lock.jsonfiles. If an attacker places a malicious lock file in a project directory where the agent is active, the agent could ingest and act upon data parsed from that file during the update flow. - Ingestion points:
skills-lock.jsonand.skill-lock.jsonfiles parsed from project directories. - Boundary markers: None; the parsed data from these files is used to generate the status output for the agent.
- Capability inventory: Execution of
nodescripts andnpxinstallation commands. - Sanitization: No validation or sanitization is performed on the JSON content of the discovered lock files before the agent processes the results.
Audit Metadata