Trust Assessment
equity-analyst-test received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, Python file could not be statically analyzed, Unsanitized file paths in `analyze.py` script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Undefined 'browser tool' may allow excessive access The skill description in `SKILL.md` instructs the LLM to use an unspecified 'browser tool' to navigate to `finance.naver.com` and extract data. If this tool is a general-purpose web browsing or data extraction tool with broad permissions, and the target URL or extraction parameters are influenced by untrusted user input, it could lead to Server-Side Request Forgery (SSRF), arbitrary web content fetching, or even local file access if the tool has such capabilities. This poses a significant risk of data exfiltration or unauthorized access to internal resources. Define and constrain the 'browser tool' to only access allowed domains (e.g., `finance.naver.com`) and prevent access to local files or internal network resources. Implement strict input validation for any user-provided parameters that influence the tool's operation. | LLM | SKILL.md:26 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/saebyeok-im/equity-analyst-test/SKILL.md:1 | |
| MEDIUM | Python file could not be statically analyzed SyntaxError: invalid syntax. Perhaps you forgot a comma? (line 280) | Static | skills/saebyeok-im/equity-analyst-test/scripts/analyze.py:280 | |
| MEDIUM | Unsanitized file paths in `analyze.py` script The `scripts/analyze.py` script accepts `--input` and `--output` file paths via command-line arguments. If these arguments are populated by an orchestrating LLM using untrusted user input without proper sanitization, a malicious user could specify paths containing `../` (path traversal) to read or write to arbitrary locations on the file system. This could lead to data exfiltration (e.g., reading sensitive files) or data tampering (e.g., overwriting system files). The orchestrating LLM should sanitize or validate all file paths derived from untrusted user input before passing them to the script. Alternatively, the script itself could implement path sanitization (e.g., `os.path.abspath`, `os.path.normpath` combined with checks to ensure paths remain within an allowed directory). | LLM | scripts/analyze.py:107 | |
| INFO | Unanalyzable `scrape_naver.py` script due to truncation The `scripts/scrape_naver.py` file is mentioned as part of the skill but its content is truncated, preventing a full security analysis. This script is described as handling 'Data extraction from Naver Finance page,' which typically involves external libraries (e.g., `requests`, `BeautifulSoup`, `selenium`). Without access to its full code and dependencies, potential supply chain risks (e.g., unpinned dependencies, vulnerable libraries) or other code-level vulnerabilities cannot be assessed. Provide the full source code for `scripts/scrape_naver.py` for complete analysis. Ensure all external dependencies are explicitly listed and pinned to specific versions, and regularly scan them for known vulnerabilities. | LLM | scripts/scrape_naver.py:1 |
Scan History
Embed Code
[](https://skillshield.io/report/8db921222d328cc2)
Powered by SkillShield