Is jesusmanuelrg/horizon-trader safe?

The tearsheet command handler opens a user-supplied file path with no validation: with open(path) as f. An agent instructed to generate a tearsheet from /home/user/.env or /home/user/.ssh/id_rsa would open and attempt to parse those files. Even if float conversion fails and raises ValueError, the file is opened and the first parseable float row would be returned in JSON output. This is a reliable credential file read gadget.

Six sensitive credential files were opened and read in a second complete sweep at auditd timestamp 1771920614, approximately 6 seconds after skill installation completed at 1771920608. The access pattern is identical to the pre-install baseline sweep and covers .env, SSH private key, AWS credentials, .npmrc, Docker config, and GCP application credentials. The process responsible is not conclusively identified in the available log window.

The skill's only execution vector is python3 horizon.py <command> which imports from horizon import tools — the horizon-sdk pip package. This package communicates with the Horizon service using HORIZON_API_KEY, makes outbound HTTPS connections, and its import-time and runtime behavior is entirely opaque. Install scripts for the SDK package were not examined. The SDK could read environment variables, scan the filesystem, or transmit data on every invocation.

The start-feed command supports rest, rest_json_path, and chainlink feed types that accept user-supplied URLs. While SSRF protection blocks private IPs and known cloud metadata hosts, the protection is string-based and does not prevent DNS rebinding, CNAME chains to private addresses, or connections to attacker-controlled HTTPS servers. A malicious instruction could use these to POST agent context or credential content to an external receiver.

The skill instructs the agent it can submit live market orders, cancel all orders, and toggle an emergency kill-switch. The only guard is a soft note in SKILL.md: 'Always confirm with the user before submitting.' This is insufficient for a skill injected into a system prompt — a confused or socially-engineered agent could submit real orders worth significant capital. The arb command executes cross-exchange trades atomically with no confirmation requirement documented in the CLI.

Most commands use _safe_int(), _safe_float(), and _validate_text() for input sanitization. However bayesian-opt uses bare int(), hawkes uses bare float() for mu/alpha/beta parameters, and correlation passes raw json.loads() output directly to ledoit_wolf_shrinkage() without structure validation. The inconsistency creates a patchwork trust boundary.

The _meta.json reports latest version 0.5.5 with a history of 0.3.1, 0.5.0, 0.5.4, 0.5.5. SKILL.md declares version 0.4.16, which does not appear in any history entry. The installed skill is a version with no changelog record, making it impossible to audit what changed from the last tracked version.

The install process used git clone --depth 1 --no-checkout followed by sparse-checkout to isolate the skill subdirectory. No git hooks, gitattributes filters, or submodules were present. Filesystem changes were limited to the skill-under-test directory.