Trust Assessment
options-strategy-advisor received a trust score of 71/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Suspicious import: requests, Potential Server-Side Request Forgery (SSRF) via FMP API calls, Potential API Key Exposure via SSRF.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Server-Side Request Forgery (SSRF) via FMP API calls The skill's documentation (`SKILL.md`) indicates that it fetches data from the FMP API, requiring a user-provided ticker symbol. The `scripts/black_scholes.py` file, which is part of the skill's implementation, imports the `requests` library. If the user-provided ticker symbol or other parameters are used to construct the API request URL without strict validation and sanitization, an attacker could manipulate the input to perform Server-Side Request Forgery (SSRF). This could force the skill to make requests to internal network resources or arbitrary external URLs, potentially leading to data exfiltration or port scanning. Implement strict input validation and sanitization for all user-provided parameters used in API requests. Ensure that the constructed URLs only target the intended FMP API domain and and do not allow redirection or arbitrary host/port specification. Consider using a whitelist of allowed ticker symbols if feasible. | LLM | scripts/black_scholes.py:30 | |
| HIGH | Potential API Key Exposure via SSRF The skill uses an external API (FMP API) which typically requires an API key for authentication. The `scripts/black_scholes.py` file imports the `os` module, suggesting that API keys might be retrieved from environment variables (e.g., `os.getenv('FMP_API_KEY')`). If the skill is vulnerable to SSRF (as described in the previous finding), an attacker could redirect the API request to an attacker-controlled server. If the API key is included in the request (e.g., in headers or URL parameters), this could lead to the exposure of the FMP API key to the attacker. In addition to preventing SSRF, ensure that API keys are handled securely. If API keys must be sent in requests, use secure methods (e.g., HTTP headers, not URL parameters). Consider using a proxy or service that can inject credentials securely without exposing them to the agent's direct request construction. | LLM | scripts/black_scholes.py:29 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/veeramanikandanr48/options-strategy-advisor/scripts/black_scholes.py:34 |
Scan History
Embed Code
[](https://skillshield.io/report/a1be0b85f07b6b95)
Powered by SkillShield