Security Audit
analyzing-time-series
github.com/https-deeplearning-ai/sc-agent-skills-filesTrust Assessment
analyzing-time-series received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Path Traversal via Unsanitized File and Output Directory Arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit 211cdd64). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal via Unsanitized File and Output Directory Arguments The `diagnose.py` and `visualize.py` scripts accept `file` and `output-dir` as command-line arguments. These arguments are directly used in `pd.read_csv(filepath)` and `Path(output_dir) / ...` operations without any path sanitization or validation. If an AI agent passes unsanitized user input for these arguments, an attacker could exploit this to read arbitrary files (e.g., `../../../../etc/passwd` for `file`) or write files to arbitrary locations outside the intended output directory (e.g., `../../../../tmp` for `output-dir`). This grants excessive permissions to the skill, leading to potential data exfiltration or data tampering. The AI agent calling these scripts must ensure that all file paths and output directories passed as arguments are strictly controlled, sanitized, and confined to a secure, isolated, temporary directory. Alternatively, the scripts themselves should implement robust path validation, canonicalization, and confinement checks (e.g., ensuring paths resolve within a designated sandbox directory) before performing file operations. | LLM | scripts/diagnose.py:40 | |
| HIGH | Path Traversal via Unsanitized File and Output Directory Arguments The `diagnose.py` and `visualize.py` scripts accept `file` and `output-dir` as command-line arguments. These arguments are directly used in `pd.read_csv(filepath)` and `Path(output_dir) / ...` operations without any path sanitization or validation. If an AI agent passes unsanitized user input for these arguments, an attacker could exploit this to read arbitrary files (e.g., `../../../../etc/passwd` for `file`) or write files to arbitrary locations outside the intended output directory (e.g., `../../../../tmp` for `output-dir`). This grants excessive permissions to the skill, leading to potential data exfiltration or data tampering. The AI agent calling these scripts must ensure that all file paths and output directories passed as arguments are strictly controlled, sanitized, and confined to a secure, isolated, temporary directory. Alternatively, the scripts themselves should implement robust path validation, canonicalization, and confinement checks (e.g., ensuring paths resolve within a designated sandbox directory) before performing file operations. | LLM | scripts/visualize.py:30 |
Scan History
Embed Code
[](https://skillshield.io/report/d2aa289d267704b3)
Powered by SkillShield