Trust Assessment
stock-analysis received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 21 findings: 7 critical, 10 high, 3 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings21
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/udiedrichsen/stock-analysis/scripts/hot_scanner.py:388 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/udiedrichsen/stock-analysis/scripts/rumor_scanner.py:81 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/udiedrichsen/stock-analysis/scripts/rumor_scanner.py:134 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/udiedrichsen/stock-analysis/scripts/watchlist.py:246 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/udiedrichsen/stock-analysis/scripts/hot_scanner.py:387 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/udiedrichsen/stock-analysis/scripts/rumor_scanner.py:79 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/udiedrichsen/stock-analysis/scripts/rumor_scanner.py:132 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/udiedrichsen/stock-analysis/scripts/hot_scanner.py:387 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/udiedrichsen/stock-analysis/scripts/rumor_scanner.py:79 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/udiedrichsen/stock-analysis/scripts/rumor_scanner.py:132 | |
| HIGH | Hidden network beacons / undisclosed telemetry Large encoded data in URL query parameters Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/udiedrichsen/stock-analysis/scripts/hot_scanner.py:203 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'scan_twitter'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/udiedrichsen/stock-analysis/scripts/hot_scanner.py:388 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'search_twitter_rumors'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/udiedrichsen/stock-analysis/scripts/rumor_scanner.py:81 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'search_twitter_buzz'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/udiedrichsen/stock-analysis/scripts/rumor_scanner.py:134 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_alerts'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/udiedrichsen/stock-analysis/scripts/watchlist.py:246 | |
| HIGH | Command Injection via External Binary Execution The `hot_scanner.py` and `rumor_scanner.py` scripts execute an external `bird` CLI using `subprocess.run`. While the arguments (`query`) are hardcoded within these scripts, the execution of any external binary is a command injection vector. If the `bird` CLI itself is compromised, or if its behavior can be manipulated through environment variables (which are loaded from a `.env` file and passed to `subprocess.run`), it could lead to arbitrary command execution on the host system. The `SKILL.md` explicitly instructs the user to install this `bird` CLI globally via `npm install -g @steipete/bird`. Avoid executing external binaries via `subprocess.run` with user-controlled inputs. If external tools are necessary, ensure they are installed in a sandboxed environment and all arguments are strictly validated and sanitized. Consider replacing external CLI calls with Python libraries if available, or implement robust sandboxing mechanisms. | LLM | scripts/hot_scanner.py:100 | |
| HIGH | Credential Exposure to External Process The `hot_scanner.py` and `rumor_scanner.py` scripts load `AUTH_TOKEN` and `CT0` (Twitter/X credentials) from a `.env` file into `os.environ`. These environment variables are then passed directly to the `subprocess.run` call that executes the `bird` CLI. This exposes sensitive credentials to an external, globally installed binary. If the `bird` CLI is malicious, or if it has a vulnerability that allows it to read its environment, these credentials could be harvested or exfiltrated. Do not pass sensitive credentials via environment variables to external processes, especially globally installed ones. Explore more secure methods for credential handling, such as direct API calls from Python, or temporary files with restricted permissions, ensuring credentials are never exposed to untrusted execution contexts. | LLM | scripts/rumor_scanner.py:20 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/udiedrichsen/stock-analysis/scripts/hot_scanner.py:8 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/udiedrichsen/stock-analysis/scripts/rumor_scanner.py:21 | |
| MEDIUM | Unpinned Global Dependency Installation The `SKILL.md` instructs users to install the `bird` CLI globally using `npm install -g @steipete/bird`. This presents two supply chain risks:
1. **Unpinned Version**: Installing without a specific version (`@version`) means the latest version will always be installed. This can introduce breaking changes or malicious code if the package maintainer is compromised or introduces vulnerabilities in future releases, without explicit review.
2. **Global Scope**: `npm install -g` installs the package globally, affecting the entire system rather than being isolated to the skill's environment. This requires elevated permissions and increases the attack surface if the package is compromised. Always specify exact versions for dependencies (e.g., `npm install -g @steipete/bird@1.2.3`). Prefer installing dependencies locally within the skill's environment or using containerization/virtual environments to prevent global system impact and isolate potential threats. | LLM | SKILL.md:170 | |
| LOW | Broad Filesystem Scope for State Management The skill stores portfolio and watchlist data in `~/.clawdbot/skills/stock-analysis/portfolios.json` and `~/.clawdbot/skills/stock-analysis/watchlist.json`. While this is a common pattern for skill state management, it grants the skill write access to a subdirectory within the user's home directory. If the skill were compromised, this broad access could potentially allow it to write arbitrary data to the user's home directory, beyond its designated state files. Ensure that the skill strictly adheres to writing only to its designated state directory and does not attempt to access or modify other files in the user's home directory. The platform should ideally enforce stricter sandboxing for skill file access to limit potential damage from a compromised skill. | LLM | scripts/portfolio.py:34 |
Scan History
Embed Code
[](https://skillshield.io/report/5aa839f9c1131340)
Powered by SkillShield