Trust Assessment
portfolio-tracker received a trust score of 75/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Sensitive financial data printed to stdout, Browser automation with specific Chrome profile may expose sensitive data.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Sensitive financial data printed to stdout The `scripts/update-portfolio.py` script reads personal financial holdings (tickers and amounts) from `references/portfolio-holdings.md`. It then explicitly prints a sample of this sensitive data (`stocks[:5]`, `crypto`) to standard output. This exposes private user financial information to the LLM's execution environment, which could lead to data exfiltration through logs or insecure output channels. Remove or redact the `print` statements that output sensitive holdings data. Only output non-sensitive information or aggregated results. If the LLM requires access to specific holding details, ensure it is passed through secure, controlled channels rather than standard output. | LLM | scripts/update-portfolio.py:13 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/vachanalaviswanath/portfolio-tracker/SKILL.md:1 | |
| MEDIUM | Browser automation with specific Chrome profile may expose sensitive data The skill's workflow instructs the LLM to use browser automation and 'Attach Chrome extension (profile=open-claw-chrome)'. Using a specific, potentially persistent Chrome profile for automation can expose sensitive data stored within that profile (e.g., cookies, browsing history, saved credentials, extension data) to the automation tool and potentially the LLM. If the `open-claw-chrome` profile is not strictly sandboxed or is also used for general user browsing, it presents a risk of data exfiltration or unauthorized access. Use a dedicated, ephemeral, and strictly sandboxed browser profile for automation tasks. Ensure the profile has minimal permissions, does not store sensitive user data, and is not used for general user browsing. Implement strict access controls for the browser automation tool. | LLM | SKILL.md:14 |
Scan History
Embed Code
[](https://skillshield.io/report/b558364b6560dd17)
Powered by SkillShield