Security Audit

stock-info-explorer

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

stock-info-explorer received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned dependency versions, Path traversal in chart filename generation.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Filesystem Write

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Path traversal in chart filename generation The `save_pro_chart` function constructs a file path using an unsanitized ticker symbol: `f"/tmp/{symbol}_pro.png"`. An attacker could provide a symbol containing path traversal sequences (e.g., `../../etc/passwd`) to write a chart file to an arbitrary location on the filesystem, potentially overwriting critical system files or creating new ones in sensitive directories. Sanitize the `symbol` input to remove path traversal characters (e.g., `..`, `/`) or use a more robust method for generating unique, safe filenames within a designated directory. For example, use `os.path.basename(symbol)` or a UUID for the filename to prevent directory manipulation.	LLM	scripts/yf.py:150
MEDIUM	Unpinned dependency versions The `scripts/yf.py` file specifies dependencies without pinning their versions (e.g., `yfinance` instead of `yfinance==0.2.30`). This can lead to supply chain risks if a new version of a dependency introduces vulnerabilities, breaking changes, or malicious code. It also makes the build non-deterministic. Pin all dependencies to specific, known-good versions (e.g., `yfinance==0.2.30`). Regularly review and update dependencies to mitigate risks.	LLM	scripts/yf.py:3

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a2842ebecb3b9fce.svg)](https://skillshield.io/report/a2842ebecb3b9fce)