Skill Detail

XVARY Stock Research Skill

This skill analyzes stock data by making HTTP requests to external endpoints.

GitHub:sickn33/antigravity-awesome-skills xvary-stock-research
version 4512e6f2f232
static analysis only
no human review yet
Needs Review

Current public label

Needs Review

The skill's network activity and lack of runtime evidence require review.

This label is currently coming from the automated scorecard.

Automated result

Needs Review

The skill makes network requests to external URLs. Driftloom found no runtime evidence.

4 medium, 3 low Final label: needs review.

Human review

No human review has been recorded yet.

The current public label is still relying on automation. A human has not weighed in yet.

What happened

Driftloom completed a static scan. It inspected the skill files, recorded findings, and generated a scorecard.

Runtime evidence

No sandbox runtime result has been recorded yet.

Driftloom currently recommends runtime testing for this version (priority 40).

What did not happen

  • Driftloom did not run this skill in an isolated sandbox yet.
  • This label is not a guarantee that the skill is safe, bug-free, or appropriate for every environment.
  • A good score does not replace human judgment when a skill touches secrets, shell access, or external systems.

Source provenance

Source: Workspace import

Originally ingested from a local workspace copy.

Scorecard

Safety
100
Quality
100
Transparency
22
Operational
92
Maintenance
58

4 medium, 3 low Final label: needs review.

Severity mix: 4 medium, 3 low

What Driftloom checked

  • Read the skill files and metadata to understand what the skill claims to do.
  • Looked for shell commands and risky command patterns, even if none stood out strongly.
  • Looked for external URLs, network calls, and signs the skill reaches outside the machine.
  • Looked for secrets and credential handling clues.
  • Checked whether the skill structure and references looked internally consistent.

Findings

Programmatic network client usage detected
network.client_code · transparency
Medium

The source appears to make outbound HTTP calls in code.

File: tools/market.py
Evidence: requests.
Programmatic network client usage detected
network.client_code · transparency
Medium

The source appears to make outbound HTTP calls in code.

File: tests/test_edgar.py
Evidence: requests.
Programmatic network client usage detected
network.client_code · transparency
Medium

The source appears to make outbound HTTP calls in code.

File: tools/edgar.py
Evidence: requests.
Programmatic network client usage detected
network.client_code · transparency
Medium

The source appears to make outbound HTTP calls in code.

File: tests/test_market.py
Evidence: requests.
Explicit external endpoint reference detected
network.url_reference · transparency
Low

The source references an external URL in a context that looks behaviorally relevant, not just decorative documentation.

File: tools/edgar.py
Evidence: https://www.sec.gov/files/company_tickers.json
Explicit external endpoint reference detected
network.url_reference · transparency
Low

The docs reference an external endpoint or network flow in a context that likely matters to how the skill operates.

File: references/edgar-guide.md
Evidence: https://data.sec.gov/api/xbrl/companyfacts/CIK{cik}.json`
Explicit external endpoint reference detected
network.url_reference · transparency
Low

The source references an external URL in a context that looks behaviorally relevant, not just decorative documentation.

File: tools/market.py
Evidence: https://query1.finance.yahoo.com/v7/finance/quote?symbols={ticker}
Driftloom is following the boring, correct architecture: Django control plane first, isolated runner later. Miraculously, restraint survives.