← Back to Scanner

tradingview-mcp Security Audit Report

πŸ”­ Continuously monitored by ClawSecure Watchtower
Source:
SHA-256:

tradingview-mcp is an AI agent skill, created by tradesdontlie and published at tradesdontlie/tradingview-mcp. ClawSecure audited tradingview-mcp across 75 files through the 3-Layer Audit Protocol covering all ten OWASP ASI Top 10 categories, assigning a security score of 55/100 (Medium Risk). The 5 findings concentrate in Supply Chain, Code Injection and Permissions Manifest, including Potentially dangerous code pattern detected: exec\( and Vulnerability in @modelcontextprotocol/sdk@1.12.1:…. 4 were rated high or critical severity.

Is tradingview-mcp safe?

ClawSecure audited tradingview-mcp and assigned a security score of 55/100 (Medium Risk), identifying 5 findings across Supply Chain and Code Injection. Review the findings below before installing.

What did ClawSecure find in tradingview-mcp?

ClawSecure identified 5 findings in tradingview-mcp, concentrated in Supply Chain, Code Injection and Permissions Manifest. 4 were rated high or critical severity. The most severe include Potentially dangerous code pattern detected: exec\( and Vulnerability in @modelcontextprotocol/sdk@1.12.1:….

How was tradingview-mcp audited?

ClawSecure ran tradingview-mcp through its 3-Layer Audit Protocol with full OWASP ASI Top 10 coverage, scanning 75 files from tradesdontlie/tradingview-mcp.

What does a score of 55 mean?

ClawSecure assigned tradingview-mcp a security score of 55/100, placing it in the Medium Risk range. This reflects 5 findings led by Supply Chain that warrant review before production use. ClawSecure derives this score with a weighted deduction model (critical -20, high -10, medium -5, low -2 from a base of 100).

Audit Findings for tradingview-mcp

ClawSecure detected 5 security findings in tradingview-mcp, spanning Supply Chain, Code Injection and Permissions Manifest.

Each finding is expandable in the interactive list below.

3-Layer Audit Protocol

Security Recommendations for tradingview-mcp

Update and pin dependencies
tradingview-mcp depends on packages with supply-chain risk. Pin every dependency to an exact version, update packages with known CVEs to patched releases, and re-audit after each change. ClawSecure checks every dependency against known CVE databases.
Eliminate dynamic code execution
tradingview-mcp evaluates code at runtime (for example eval or dynamic exec). Remove dynamic evaluation of untrusted input, and where code generation is unavoidable, sandbox it and validate every input.
Add a config.json permissions manifest
A config.json file declares what an agent component can access: file system, network, shell execution and more. Without it, users have no visibility into what the component can do before installing. This is the single most impactful security improvement for any AI agent skill.
Pin dependencies to exact versions
Unpinned dependencies allow supply-chain attacks where a compromised version is pulled in automatically. Use exact version numbers in package.json (for example 1.2.3 instead of ^1.2.3) to keep unauthorized code out of your dependency tree. ClawSecure checks every dependency against known CVE databases.

Related Security Research

AI Agent Supply Chain Attacks: How Dependencies Become Weapons→Beyond Static Scans: Why ClawSecure Verifies Agentic Intent→Why Generic Scanners Fail at AI Agent Security→

Related AI Agent Security Audits

jiraScore 50/100playwright-best-practicesScore 63/100neckr0ik-polymarket-traderScore 55/100ai-trading-claude-mainScore 70/100skill-scannerScore 45/100

Scanned on July 18, 2026. tradingview-mcp is one of thousands of agents audited by ClawSecure from the community-curated awesome-openclaw-skills list and the openclaw/skills repository.

Start Your Free Scan