Security Audit

unifai-trading-suite

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

unifai-trading-suite received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 15 findings: 0 critical, 0 high, 13 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Loose dependency version pinning.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Dependency Graph layer scored lowest at 9/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

2 findings

Security Findings15

Severity	Finding	Layer	Location
MEDIUM	Unpinned Python dependency version Dependency 'unifai-sdk>=0.3.3' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	skills/zbruceli/unifai-trading-suite/pyproject.toml
MEDIUM	Unpinned Python dependency version Requirement 'unifai-sdk>=0.3.3' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:2
MEDIUM	Unpinned Python dependency version Requirement 'litellm>=1.80.5 # Gemini 3 thought signature support' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:5
MEDIUM	Unpinned Python dependency version Requirement 'google-generativeai>=0.8.0 # Gemini 3 support' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:6
MEDIUM	Unpinned Python dependency version Requirement 'aiohttp>=3.9.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:9
MEDIUM	Unpinned Python dependency version Requirement 'httpx>=0.27.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:10
MEDIUM	Unpinned Python dependency version Requirement 'web3>=6.15.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:13
MEDIUM	Unpinned Python dependency version Requirement 'pydantic>=2.6.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:16
MEDIUM	Unpinned Python dependency version Requirement 'python-dotenv>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:19
MEDIUM	Unpinned Python dependency version Requirement 'fastapi>=0.109.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:22
MEDIUM	Unpinned Python dependency version Requirement 'uvicorn>=0.27.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:23
MEDIUM	Unpinned Python dependency version Requirement 'pytest>=8.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:26
MEDIUM	Unpinned Python dependency version Requirement 'pytest-asyncio>=0.23.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/zbruceli/unifai-trading-suite/requirements.txt:27
INFO	Loose dependency version pinning Dependencies in `pyproject.toml` and `requirements.txt` are pinned using minimum versions (`>=`) rather than exact versions (`==`). While this allows for flexibility and automatic updates, it increases the risk of unexpected breaking changes or the introduction of vulnerabilities from newer, untested package versions. For production environments, exact pinning is generally recommended for better reproducibility and security. Pin all production dependencies to exact versions (`==X.Y.Z`) to ensure reproducibility and prevent unintended updates that could introduce vulnerabilities or breaking changes. Consider using a dependency lock file (e.g., `poetry.lock` or `pip freeze > requirements.lock`) for managing exact versions.	LLM	pyproject.toml:8
INFO	Loose dependency version pinning Dependencies in `pyproject.toml` and `requirements.txt` are pinned using minimum versions (`>=`) rather than exact versions (`==`). While this allows for flexibility and automatic updates, it increases the risk of unexpected breaking changes or the introduction of vulnerabilities from newer, untested package versions. For production environments, exact pinning is generally recommended for better reproducibility and security. Pin all production dependencies to exact versions (`==X.Y.Z`) to ensure reproducibility and prevent unintended updates that could introduce vulnerabilities or breaking changes. Consider using a dependency lock file (e.g., `poetry.lock` or `pip freeze > requirements.lock`) for managing exact versions.	LLM	requirements.txt:2

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/4cff8f67878ce97f.svg)](https://skillshield.io/report/4cff8f67878ce97f)