Security Audit

dem1urg/github-extractor:root

gitlab.com/dem1urg/github-extractor

AI SkillCommit c757bfa0e2dc

TRUSTED

Scanned about 13 hours ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

dem1urg/github-extractor:root received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Arbitrary File Read via --html-file Argument.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on March 24, 2026 (commit c757bfa0). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

78%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Arbitrary File Read via --html-file Argument The `tools/extract_profile.py` script accepts an `--html-file` argument which allows it to read the content of any specified file on the local filesystem. If an attacker can control the path provided to this argument (e.g., through prompt injection to the LLM that calls this skill), they could instruct the skill to read sensitive files like `/etc/passwd`, `/proc/self/environ`, or `~/.ssh/id_rsa`. Although the script attempts to parse the content as HTML, parts of the file's content could be included in the output JSON (e.g., if it happens to contain HTML-like structures that match regex patterns, or in error messages if parsing fails), leading to data exfiltration. The `fail` function's `details` dictionary could also expose file system information in error cases. Restrict file access to a designated temporary directory, validate file paths more strictly (e.g., disallow absolute paths, paths outside a sandbox, or paths containing `..`), or implement a deny-list for sensitive file paths. For this specific skill, consider disallowing reading arbitrary local files and only allowing fetching from `github.com` URLs, or require the user to paste the HTML content directly into the prompt rather than providing a file path.	Static	tools/extract_profile.py:80
MEDIUM	Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	tools/extract_profile.py:14

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/1fc47b9b20f2f420.svg)](https://skillshield.io/report/1fc47b9b20f2f420)