Security Audit

analyzing-time-series

github.com/https-deeplearning-ai/sc-agent-skills-files

AI SkillCommit d3e7b4f6ec5d

CAUTION

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

analyzing-time-series received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary File Read from Input Path, Path Traversal in `--output-dir` Argument.

The analysis covered 4 layers: llm_behavioral_safety, manifest_analysis, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit d3e7b4f6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

70%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Arbitrary File Read from Input Path The scripts `scripts/diagnose.py` and `scripts/visualize.py` accept a positional argument for the input CSV file path. This path is passed to the `ts_utils.load_data` function and used directly in `pd.read_csv(filepath)` without validation. This allows a user to specify an absolute or relative path to any file readable by the agent's user, such as `/etc/passwd` or other sensitive configuration files, leading to arbitrary file disclosure. Resolve the user-provided input file path and verify it is located within a designated safe directory (e.g., a temporary upload or workspace folder) before use. Do not allow the script to access arbitrary file system paths.	Unknown	scripts/ts_utils.py:26
HIGH	Path Traversal in `--output-dir` Argument The scripts `scripts/diagnose.py` and `scripts/visualize.py` accept an `--output-dir` command-line argument. This path is used to construct file paths for writing output files (e.g., JSON reports, PNG plots) without being validated or sanitized. An attacker can provide a path with traversal sequences (e.g., `../../tmp`) to write files outside of the intended working directory. This could lead to arbitrary file write, potentially overwriting sensitive system files, modifying application code, or placing malicious scripts in an executable location. Resolve the user-provided output path and verify it is located within a designated safe directory before use. Reject any paths that resolve outside this boundary. For Python 3.9+, use `path.is_relative_to(safe_directory)`. For older versions, compare resolved absolute paths after ensuring both are within the safe root.	Unknown	scripts/visualize.py:50

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/018acdd5c04b40f8.svg)](https://skillshield.io/report/018acdd5c04b40f8)