Trust Assessment
frontend-slides received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 0 critical, 3 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via OS file opener commands, Potential Command Injection via `python3` execution for PPT conversion, Excessive Permissions: Arbitrary command execution and package installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on March 20, 2026 (commit 9a478ad6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via OS file opener commands The skill instructs the LLM to use OS-specific commands (`open`, `xdg-open`, `start`) to open generated HTML files. If the filename (`[presentation-name].html`) can be influenced by untrusted user input and is not properly sanitized before being passed to these commands, an attacker could inject arbitrary shell commands, leading to arbitrary code execution on the host system. Implement strict sanitization and validation for any user-provided filenames before they are used in shell commands. Consider using a safer API for opening files that does not involve direct shell execution, or ensure filenames are strictly alphanumeric with allowed extensions. | LLM | SKILL.md:105 | |
| HIGH | Potential Command Injection via `python3` execution for PPT conversion The skill instructs the LLM to use `python3` with `python-pptx` for converting PowerPoint files. If the input `.ppt` or `.pptx` filename, or any other argument passed to the `python3` command, is derived from untrusted user input without proper sanitization, it could lead to arbitrary command execution on the host system. Ensure all arguments passed to `python3` (especially file paths) are strictly validated and sanitized to prevent shell metacharacters from being interpreted as commands. Consider using a dedicated, sandboxed environment for executing external tools. | LLM | SKILL.md:114 | |
| HIGH | Excessive Permissions: Arbitrary command execution and package installation The skill requires the LLM to execute arbitrary system commands (`open`, `xdg-open`, `start`, `python3`) and potentially install Python packages (`python-pptx`). This grants the LLM broad permissions to interact with the underlying operating system, which, if exploited through command injection vulnerabilities (as identified above) or other means, could lead to system compromise or data loss. The ability to install packages further expands the attack surface. Implement strict sandboxing for the LLM's execution environment, limiting its ability to execute arbitrary commands or modify system-wide packages. Use allow-lists for permitted commands and arguments. Review the necessity of direct package installation by the LLM; prefer pre-installed dependencies or a secure, managed installation process. | LLM | SKILL.md:105 | |
| MEDIUM | Supply Chain Risk: Unspecified `python-pptx` package installation The skill instructs the LLM to install `python-pptx` if unavailable, without specifying a version or a trusted package source. This creates a supply chain risk, as the LLM might install a vulnerable, malicious, or typosquatted package from a public repository, potentially compromising the system. If package installation is absolutely necessary, specify exact package versions and, if possible, trusted package indexes or hashes. Ideally, dependencies should be pre-installed and managed by the environment, not by the LLM at runtime. | LLM | SKILL.md:116 |
Scan History
Embed Code
[](https://skillshield.io/report/ca72392b0ab04b22)
Powered by SkillShield