Security Audit

gracefullight/stock-checker:.agent/skills/stock-analysis

github.com/gracefullight/stock-checker

AI SkillCommit 4a711df68035

TRUSTED

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

gracefullight/stock-checker:.agent/skills/stock-analysis received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 0 medium, and 2 low severity. Key findings include Sensitive path access: AI agent config, Loose Dependency Pinning.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 24, 2026 (commit 4a711df6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

81%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings3

Severity	Finding	Layer	Location
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	.agent/skills/stock-analysis/SKILL.md:66
LOW	Loose Dependency Pinning The skill's Python scripts use loose dependency pinning (e.g., `package>=X.Y.Z`) instead of exact pinning (`==X.Y.Z`) or compatible release pinning (`~=X.Y.Z`). This can lead to unexpected behavior, breaking changes, or the introduction of vulnerabilities if a new major or minor version of a dependency is released with issues. While not a critical vulnerability, it increases the supply chain risk by allowing potentially untested or vulnerable versions to be installed. Pin dependencies to exact versions (e.g., `package==X.Y.Z`) or use compatible release operators (e.g., `package~=X.Y.Z`) to ensure stability and prevent unexpected updates. For example, change `yfinance>=0.2.40` to `yfinance~=0.2.40` or `yfinance==0.2.40`.	Static	scripts/analyze_stock.py:4
LOW	Loose Dependency Pinning The skill's Python scripts use loose dependency pinning (e.g., `package>=X.Y.Z`) instead of exact pinning (`==X.Y.Z`) or compatible release pinning (`~=X.Y.Z`). This can lead to unexpected behavior, breaking changes, or the introduction of vulnerabilities if a new major or minor version of a dependency is released with issues. While not a critical vulnerability, it increases the supply chain risk by allowing potentially untested or vulnerable versions to be installed. Pin dependencies to exact versions (e.g., `package==X.Y.Z`) or use compatible release operators (e.g., `package~=X.Y.Z`) to ensure stability and prevent unexpected updates. For example, change `yfinance>=0.2.40` to `yfinance~=0.2.40` or `yfinance==0.2.40`.	Static	scripts/portfolio.py:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/6a9f813bd2a96f0f.svg)](https://skillshield.io/report/6a9f813bd2a96f0f)