Trust Assessment
crypto-price received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Suspicious import: urllib.request, Unpinned Python dependency version, Path Traversal via unsanitized user input in filename.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal via unsanitized user input in filename The `token_symbol` argument, which is directly taken from user input (`sys.argv[1]`), is used to construct a file path for the generated chart image (`/tmp/crypto_chart_{token_symbol}_{timestamp}.png`). An attacker could inject path traversal sequences (e.g., `../`) into the `token_symbol` to write files to arbitrary locations on the file system, potentially overwriting critical files or placing malicious content. Sanitize the `token_symbol` input before using it in the file path. Use a regular expression to remove or replace any characters that could facilitate path traversal, such as slashes (`/`, `\`) or dot-dot (`..`). For example, `token_symbol = re.sub(r'[^a-zA-Z0-9_.-]', '', token_symbol)`. | LLM | scripts/get_price_chart.py:300 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/evgyur/crypto-price/scripts/get_price_chart.py:10 | |
| MEDIUM | Unpinned Python dependency version Requirement 'matplotlib>=3.5.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/evgyur/crypto-price/requirements.txt:1 | |
| LOW | Unpinned dependency in requirements.txt The `matplotlib` dependency is specified with a minimum version (`>=3.5.0`) but not an exact version. This can lead to non-deterministic builds and potential compatibility issues or unexpected vulnerabilities if a newer, incompatible, or compromised version is installed in the future. While `matplotlib` is a widely used and generally trusted library, pinning exact versions is a best practice for supply chain security. Pin the exact version of `matplotlib` to ensure reproducible builds and prevent unexpected changes. For example, change `matplotlib>=3.5.0` to `matplotlib==3.5.0` or `matplotlib~=3.5.0` if minor version updates are acceptable. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/f333f4d044eff5ec)
Powered by SkillShield