Trust Assessment
options-spread-conviction-engine received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Sensitive environment variable access: $HOME, Unpinned Python Dependencies in Setup Script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adamnaghs/options-spread-conviction-engine/skills/options-spread-conviction-engine/scripts/numba.py:3 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adamnaghs/options-spread-conviction-engine/skills/options-spread-conviction-engine/scripts/setup-venv.sh:8 | |
| MEDIUM | Unpinned Python Dependencies in Setup Script The `scripts/setup-venv.sh` script installs several Python packages (`numpy`, `pandas`, `yfinance`, `pandas_ta`, `scipy`, `tqdm`) without specifying exact version numbers. While the `SKILL.md` mentions minimum versions (e.g., `pandas >= 2.0`, `pandas_ta >= 0.4.0`), the installation script does not enforce these or pin to specific versions. This practice can lead to non-reproducible builds, compatibility issues if future versions introduce breaking changes, or the inadvertent inclusion of vulnerabilities if a dependency is compromised. Pin all Python dependencies to exact versions (e.g., `package==X.Y.Z`) in `scripts/setup-venv.sh` to ensure reproducible builds and mitigate risks from unexpected updates. A `requirements.txt` file with pinned versions, installed via `pip install -r requirements.txt`, is the recommended approach. | LLM | scripts/setup-venv.sh:29 |
Scan History
Embed Code
[](https://skillshield.io/report/0df3207644bc9981)
Powered by SkillShield