Security Audit

streamlit/agent-skills:developing-with-streamlit

github.com/streamlit/agent-skills

AI SkillCommit 42fb68fde447

CRITICAL

Scanned 6 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

streamlit/agent-skills:developing-with-streamlit received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 21 findings: 0 critical, 0 high, 17 medium, and 2 low severity. Key findings include Unpinned Python dependency version, Potential Command Injection via `streamlit run`, Unsanitized User Input to External Library (`yfinance`).

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Dependency Graph layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on April 1, 2026 (commit 42fb68fd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

LLM Behavioral Safety

96%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

2 findings

Dynamic Code

3 findings

Security Findings21

Severity	Finding	Layer	Location
MEDIUM	Unpinned Python dependency version Dependency 'altair>=5.5.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/apps/dashboard-companies/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'altair>=5.5.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/apps/dashboard-compute/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'altair>=5.5.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/apps/dashboard-compute-snowflake/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'altair>=5.5.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/apps/dashboard-feature-usage/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'altair>=5.5.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/apps/dashboard-metrics/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'altair>=5.5.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/apps/dashboard-metrics-snowflake/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'altair>=5.5.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/apps/dashboard-seattle-weather/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'altair>=5.5.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/apps/dashboard-stock-peers/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'altair>=5.5.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/apps/dashboard-stock-peers-snowflake/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'numpy>=1.26.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/themes/dracula/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'numpy>=1.26.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/themes/github/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'numpy>=1.26.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/themes/minimal/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'numpy>=1.26.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/themes/nord/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'numpy>=1.26.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/themes/snowflake/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'numpy>=1.26.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/themes/solarized-light/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'numpy>=1.26.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/themes/spotify/pyproject.toml
MEDIUM	Unpinned Python dependency version Dependency 'numpy>=1.26.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible.	Dependencies	developing-with-streamlit/templates/themes/stripe/pyproject.toml
LOW	Potential Command Injection via `streamlit run` The skill instructs the agent to offer running a Streamlit app using `streamlit run [app_file.py]`. If the `[app_file.py]` placeholder is populated directly from unsanitized user input (e.g., in response to 'Which is your main app?'), it could lead to command injection, allowing arbitrary commands to be executed on the host system. While the intent is for the agent to identify a known file, the phrasing of the prompt could lead to user-provided input. Ensure that any file path used with `streamlit run` is strictly validated against known, safe file paths identified by the agent, and never directly interpolated from raw user input. The agent should only select from a list of internally verified files.	LLM	SKILL.md:105
LOW	Unsanitized User Input to External Library (`yfinance`) The `dashboard-stock-peers/streamlit_app.py` uses `st.multiselect` with `accept_new_options=True` to allow users to input stock tickers. These user-provided strings are then passed directly to `yf.Tickers(tickers)`. While `yfinance` is generally robust to invalid tickers, passing arbitrary, unsanitized user input to external libraries can lead to unexpected errors, resource exhaustion, or potentially trigger vulnerabilities in the external library. Although direct code execution is unlikely with `yfinance`, it's a general security best practice to validate or sanitize all user input before passing it to external components. Implement input validation for user-provided stock tickers. For example, check if the input matches a known list of valid tickers or a specific pattern (e.g., uppercase alphanumeric characters). Handle invalid inputs gracefully before passing them to `yfinance`.	LLM	templates/apps/dashboard-stock-peers/streamlit_app.py:128
INFO	SQL Query Construction with F-strings (Synthetic Data) The `build_synthetic_query` and `generate_stock_data_query` functions construct SQL queries using f-strings. While the code explicitly states that this is for synthetic data with hardcoded constants and warns against using f-strings with user input, this pattern can be a source of SQL injection vulnerabilities if the 'constants' were ever to be derived from untrusted sources. The code correctly demonstrates parameterized queries as the safe alternative for production, but the f-string pattern itself is worth noting as a potential anti-pattern if not handled with extreme care. For any SQL query construction, always prefer parameterized queries (as demonstrated in `dashboard-metrics-snowflake/streamlit_app.py`) over f-strings, even when inputs are currently hardcoded. This prevents accidental introduction of SQL injection vulnerabilities if the source of inputs changes in the future.	LLM	templates/apps/dashboard-compute-snowflake/streamlit_app.py:90
INFO	SQL Query Construction with F-strings (Synthetic Data) The `build_synthetic_query` and `generate_stock_data_query` functions construct SQL queries using f-strings. While the code explicitly states that this is for synthetic data with hardcoded constants and warns against using f-strings with user input, this pattern can be a source of SQL injection vulnerabilities if the 'constants' were ever to be derived from untrusted sources. The code correctly demonstrates parameterized queries as the safe alternative for production, but the f-string pattern itself is worth noting as a potential anti-pattern if not handled with extreme care. For any SQL query construction, always prefer parameterized queries (as demonstrated in `dashboard-metrics-snowflake/streamlit_app.py`) over f-strings, even when inputs are currently hardcoded. This prevents accidental introduction of SQL injection vulnerabilities if the source of inputs changes in the future.	LLM	templates/apps/dashboard-stock-peers-snowflake/streamlit_app.py:140

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3990a93295c43524.svg)](https://skillshield.io/report/3990a93295c43524)