Security Audit
gracefullight/stock-checker:.agent/skills/Financial Data Fetcher
github.com/gracefullight/stock-checkerTrust Assessment
gracefullight/stock-checker:.agent/skills/Financial Data Fetcher received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned Dependencies in Manifest.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 24, 2026 (commit 4a711df6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Dependencies in Manifest The skill's manifest lists dependencies without specifying exact versions. This can lead to supply chain vulnerabilities if a new version of a dependency introduces breaking changes, security flaws, or malicious code. It also makes the build non-deterministic. Pin all dependencies to specific versions (e.g., `alpaca-trade-api==1.2.3`) to ensure deterministic builds and mitigate risks from unexpected updates. Consider using a dependency lock file (e.g., `requirements.txt` with `pip freeze > requirements.txt`). | LLM | SKILL.md:2 |
Scan History
Embed Code
[](https://skillshield.io/report/188e4cfdb00bd4aa)
Powered by SkillShield