Trust Assessment
tradingview-screener received a trust score of 45/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 0 critical, 2 high, 4 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Dependencies pinned with `>=` instead of `==`, Arbitrary file read via user-provided signal path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file read via user-provided signal path The `signal_engine.py` script's `load_signal` function allows a user to specify an arbitrary path to a YAML signal configuration file via the `--signal` argument. The script then reads the content of this file using `yaml.safe_load()`. This could be exploited by a malicious actor to read the contents of any YAML file on the system that the skill's process has read access to, leading to data exfiltration. Restrict the `--signal` argument to only accept signal names that are resolved within the `DEFAULT_SIGNALS_DIR`. If allowing custom paths is necessary, implement strict path validation to ensure the path is within an allowed sandbox directory and does not contain directory traversal sequences (e.g., `../`). | LLM | scripts/signal_engine.py:27 | |
| HIGH | Arbitrary directory listing and file content display via user-provided signals directory The `signal_engine.py` script's `list_signals` function allows a user to specify an arbitrary directory path via the `--signals-dir` argument. The script then lists all `.yaml` files in that directory and attempts to read and parse their content to display signal information. This could be exploited by a malicious actor to list the contents of any directory on the system and potentially read snippets of any `.yaml` file, leading to data exfiltration. Restrict the `--signals-dir` argument to only accept paths within the skill's designated `state/signals` directory, or validate that the path does not contain directory traversal sequences (e.g., `../`). | LLM | scripts/signal_engine.py:47 | |
| MEDIUM | Unpinned Python dependency version Requirement 'tvscreener>=0.2.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/hiehoo/tradingview-screener/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pandas>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/hiehoo/tradingview-screener/scripts/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pyyaml>=6.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/hiehoo/tradingview-screener/scripts/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pytest>=7.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/hiehoo/tradingview-screener/scripts/requirements.txt:4 | |
| INFO | Dependencies pinned with `>=` instead of `==` The `requirements.txt` file uses `>=` for pinning dependencies. While this allows for minor updates, it can lead to unexpected behavior or introduce vulnerabilities if a new version of a dependency contains breaking changes or security flaws. For reproducible and secure skill execution, exact pinning (`==`) is generally recommended. Pin exact versions for all dependencies (e.g., `tvscreener==0.2.0`). Consider using a lock file mechanism (e.g., `pip freeze > requirements.lock`) for production deployments. | LLM | scripts/requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/a951407ee66c3a66)
Powered by SkillShield