Trust Assessment
MarketPulse received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via Unsanitized User Input in Shell Commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via Unsanitized User Input in Shell Commands The skill documentation provides examples of `curl` and `python3` commands that take various parameters (e.g., `ticker`, `start_date`, `end_date`). If an AI agent constructs these shell commands by directly interpolating untrusted user input into these parameters without proper shell escaping, an attacker could inject arbitrary shell commands. For instance, providing a ticker like `AAPL; rm -rf /` could lead to remote code execution if the agent does not sanitize the input before executing the `curl` command. The AI agent responsible for executing these commands must ensure that all user-provided inputs are rigorously sanitized and shell-escaped before being interpolated into shell commands. Consider using a dedicated library for command construction that handles escaping automatically, or pass parameters as distinct arguments to a script rather than directly into a shell string where possible. For `curl` commands, ensure parameters are both URL-encoded and then shell-escaped if the entire URL string is part of a larger shell command. | LLM | SKILL.md:49 |
Scan History
Embed Code
[](https://skillshield.io/report/e8ddc04ef9912a54)
Powered by SkillShield