Trust Assessment
who-growth-charts received a trust score of 66/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Arbitrary file read via '--data' argument, Arbitrary file write via '--output' argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file read via '--data' argument The skill's `growth_chart.py` script accepts a `--data` argument which specifies a JSON file containing measurement data. If this argument is used to point to an arbitrary file path (e.g., `/etc/passwd`), the script will attempt to read and parse its content, potentially leading to data exfiltration. The provided code snippet is truncated, but this is a common vulnerability pattern when file paths are accepted as user input without strict validation. Implement strict validation for the `--data` argument to ensure the provided path is within an allowed, non-sensitive directory (e.g., a user's data directory or a temporary skill-specific directory) or explicitly disallow reading from system paths. Ensure the file content is only parsed and not executed. | LLM | scripts/growth_chart.py | |
| HIGH | Arbitrary file write via '--output' argument The skill's `growth_chart.py` script accepts an `--output` argument to specify the directory where chart images are saved. If this argument is used to specify an arbitrary system path (e.g., `/etc/`, `/var/www/html`), the script could write files to sensitive or publicly accessible locations, leading to excessive permissions or data exfiltration (if sensitive charts are generated and written to an exposed location). The provided code snippet is truncated, but this is a common vulnerability pattern when directory paths are accepted as user input without strict validation. Implement strict validation for the `--output` argument to ensure the provided path is within the skill's designated output area (e.g., `~/clawd/who-growth-charts/`) or a temporary directory, and not an arbitrary system path. | LLM | scripts/growth_chart.py | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/odrobnik/who-growth-charts-skill/scripts/growth_chart.py:22 | |
| INFO | Unpinned Python dependencies The `SKILL.md` recommends installing Python dependencies using `pip install pandas matplotlib scipy openpyxl` without specifying exact versions. This can lead to non-reproducible builds and potential security vulnerabilities if a future version of a dependency introduces a breaking change or a security flaw. Pin all Python dependencies to exact versions (e.g., `pandas==1.5.3`) in a `requirements.txt` file to ensure reproducible and secure installations. | LLM | SKILL.md:34 | |
| INFO | Reliance on external CDN for WHO data The skill downloads WHO growth chart reference data and the WHO emblem directly from `cdn.who.int`. While `cdn.who.int` is a legitimate source, reliance on external CDNs introduces a supply chain risk. If the CDN were compromised, malicious data could be served, potentially leading to incorrect chart generation or other issues. The skill does not appear to validate the integrity of the downloaded data (e.g., via checksums). Consider implementing integrity checks (e.g., SHA256 checksums) for downloaded reference data, or provide an option to use locally bundled data for critical applications. | LLM | scripts/growth_chart.py:50 |
Scan History
Embed Code
[](https://skillshield.io/report/3e96e09d6f1ee0c3)
Powered by SkillShield