stock-rt-subscribe
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script scripts/ai_agent_integration.py uses subprocess.run() to execute pip3 install for dependency management and subprocess.Popen() to launch a background WebSocket service. It also utilizes import() for dynamic module loading during its installation phase.
- [EXTERNAL_DOWNLOADS]: The skill's install() method in scripts/ai_agent_integration.py automatically downloads and installs Python packages from PyPI. Furthermore, the skill establishes network connections to external endpoints, such as STOCK_RT_NODE_URL and STOCK_MCP_URL, to retrieve financial data and historical market information.
- [REMOTE_CODE_EXECUTION]: The automated installation of Python packages via pip during the skill's setup process represents a supply chain risk, as it allows for the execution of code from external registries at runtime based on potentially untrusted metadata.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it interpolates data from an external stock node (e.g., stock names and codes) directly into alert messages using .format_map() in scripts/alert_engine.py. Without sanitization, a compromised data source could inject malicious instructions into the agent's conversation history.
- Ingestion points: External stock tick data received via WebSocket or HTTP in scripts/subscribe_client.py and scripts/ai_agent_integration.py.
- Boundary markers: The skill lacks explicit boundary markers or instructions to ignore embedded commands when formatting alert strings.
- Capability inventory: The environment allows for subprocess execution, network operations, and file system writes (e.g., to .env and alert_log.json).
- Sanitization: There is no evidence of input validation or escaping for the data fields before they are included in the generated alert messages.
Audit Metadata