Trust Assessment
fireant-stock received a trust score of 25/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 3 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Excessive Browser Automation Permissions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/aholake/vietstock/scripts/check_stock.py:17 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_openclaw_command'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/aholake/vietstock/scripts/check_stock.py:17 | |
| HIGH | Excessive Browser Automation Permissions The skill utilizes `openclaw browser` commands with `--target host`, granting it full control over a browser instance on the host system. This includes the ability to open arbitrary URLs, navigate, interact with page elements, and take full page snapshots. While this is used for its stated purpose of checking stock prices, this level of access is inherently broad and could be abused if the skill is compromised or manipulated by malicious input. Implement stricter controls on browser access. Consider using a sandboxed browser environment, limiting navigation to a whitelist of trusted domains, or using a dedicated API for stock data instead of full browser automation if possible. Ensure the `openclaw` tool itself is configured with the least privilege necessary. | LLM | scripts/check_stock.py:20 | |
| HIGH | Potential Data Exfiltration via Browser Snapshot The `extract_stock_data` function uses `openclaw browser snapshot` to capture the entire content of web pages. The URLs navigated to are influenced by user-provided stock symbols (`symbol`). If a malicious `symbol` leads to a redirect or a search result pointing to a sensitive website (e.g., a user's email, banking portal, or internal company resources), the skill could capture and potentially exfiltrate sensitive information from the browser snapshot. Although no explicit exfiltration mechanism is shown, the capability to capture arbitrary browser content is present. Implement robust URL validation and whitelisting for all navigation actions. Ensure that the browser environment is isolated and does not contain sensitive user data or sessions. Consider parsing only specific, expected elements from the page rather than taking a full snapshot, or using a dedicated API for data retrieval. | LLM | scripts/check_stock.py:100 | |
| MEDIUM | Command Injection Risk via User Input in Browser `act` Command The `search_and_navigate_to_stock` function constructs a `search_query` using user-provided `symbol` (from `sys.argv`). This `search_query` is then embedded into a JSON string (`{"kind": "type", "text": search_query}`) which is passed as the `--request` argument to `openclaw browser act`. While `json.dumps` escapes quotes, if the `openclaw` executable or the underlying browser automation framework has a vulnerability where it interprets certain characters within the `text` field as executable commands or scripts, a specially crafted `symbol` could lead to command injection. Implement robust input validation and sanitization for all user-provided inputs, especially `symbol`. Ensure that `symbol` only contains expected characters (e.g., alphanumeric, specific punctuation). While `json.dumps` provides some protection, an additional layer of validation for the content itself is recommended when it's passed to an external executable that might interpret it. | LLM | scripts/check_stock.py:66 |
Scan History
Embed Code
[](https://skillshield.io/report/c0cf2ae45fc4e432)
Powered by SkillShield