Trust Assessment
naver-stock received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via `node` execution with user input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Potential Command Injection via `node` execution with user input The skill's manifest declares a dependency on the `node` binary, and the `SKILL.md` documentation indicates that the `index.cjs` script is executed with user-provided arguments (e.g., `node index.cjs "삼성전자"`). If the `index.cjs` script directly incorporates these user-controlled arguments into shell commands (e.g., using `child_process.exec` or `spawn` with `shell: true`) without proper sanitization or escaping, it could lead to command injection. An attacker could craft a malicious input to execute arbitrary commands on the host system. Review `index.cjs` to ensure that all user-provided arguments are properly sanitized and escaped before being used in any shell commands. Prefer `child_process.spawn` with an array of arguments over `child_process.exec` or `spawn` with `shell: true` to avoid shell interpretation. If shell execution is necessary, use a robust escaping library. | LLM | SKILL.md:12 |
Scan History
Embed Code
[](https://skillshield.io/report/d79c4a07bfed604b)
Powered by SkillShield