Security Audit

ailabs-393/ai-labs-claude-skills:packages/skills/data-analyst

github.com/ailabs-393/ai-labs-claude-skills

AI SkillCommit 1a12bc7aadcc

CRITICAL

Scanned 18 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

ailabs-393/ai-labs-claude-skills:packages/skills/data-analyst received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 12 findings: 4 critical, 1 high, 7 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unpinned Python dependency version, Potential Command Injection via Skill Description.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on March 14, 2026 (commit 1a12bc7a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

40%

Static Code Analysis

48%

Dependency Graph

58%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

3 findings

Shell Execution

3 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings12

Severity	Finding	Layer	Location
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	packages/skills/data-analyst/SKILL.md:98
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	packages/skills/data-analyst/scripts/create_dashboard.py:394
CRITICAL	Potential Command Injection via Skill Description The `SKILL.md` file, which serves as instructions for the host LLM, describes `bash` commands that take file paths and other parameters directly from placeholders (e.g., `<input_file.csv>`, `<output_dir>`, `<port>`). If the host LLM constructs these commands by directly substituting user-provided input into these placeholders without proper sanitization, an attacker could inject arbitrary shell commands. For example, providing `'; rm -rf /'` as an input file name could lead to arbitrary code execution. The host LLM must rigorously sanitize all user-provided inputs before constructing and executing any shell commands. Implement strict allow-lists for file paths, validate port numbers, and escape all special characters. Alternatively, the skill's `index.js` should implement the command execution using a secure API (e.g., `subprocess.run` with `shell=False` and explicit argument lists) rather than relying on the host LLM to construct shell strings.	LLM	SKILL.md:30
CRITICAL	Exposed Dash Dashboard with Debug Mode Enabled The `scripts/create_dashboard.py` script hardcodes `debug=True` and `host='0.0.0.0'` when running the Plotly Dash server. `host='0.0.0.0'` makes the dashboard accessible from any network interface, potentially exposing it to external attackers if the skill's environment is not strictly isolated. More critically, `debug=True` enables the Dash debugger, which can allow arbitrary code execution on the server by an attacker who can access the dashboard, leading to full system compromise and data exfiltration. Never run Dash applications with `debug=True` or `host='0.0.0.0'` in a production or untrusted environment. For skill execution, the dashboard should ideally be served only on `127.0.0.1` (localhost) and `debug=False`. If external access is required, implement strong authentication and authorization, and ensure `debug=False`. Consider generating static HTML reports instead of running a live server if interactivity is not strictly necessary for the skill's output.	Static	scripts/create_dashboard.py:269
HIGH	Arbitrary File Read/Write via Script Arguments The Python scripts (`analyze_missing_values.py`, `impute_missing_values.py`, `create_dashboard.py`) directly use command-line arguments (`sys.argv`) as file paths for reading CSVs (`pd.read_csv`) and writing outputs (`json.dump`, `df.to_csv`, `fig.write_html`). If an attacker can control these arguments (e.g., via prompt injection to the host LLM), they could force the skill to read or overwrite arbitrary files on the system, leading to data exfiltration or integrity compromise. This is a direct vulnerability in the scripts themselves, regardless of how the host LLM constructs the commands. Implement robust input validation for all file paths passed as command-line arguments. Restrict file operations to a designated, isolated directory (e.g., a sandbox). Use `pathlib` to resolve and normalize paths, and check that paths do not escape the allowed directory. Consider using temporary files for intermediate outputs.	Static	scripts/analyze_missing_values.py:100
MEDIUM	Unpinned Python dependency version Requirement 'pandas>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	packages/skills/data-analyst/requirements.txt:1
MEDIUM	Unpinned Python dependency version Requirement 'numpy>=1.24.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	packages/skills/data-analyst/requirements.txt:2
MEDIUM	Unpinned Python dependency version Requirement 'scikit-learn>=1.3.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	packages/skills/data-analyst/requirements.txt:3
MEDIUM	Unpinned Python dependency version Requirement 'plotly>=5.18.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	packages/skills/data-analyst/requirements.txt:4
MEDIUM	Unpinned Python dependency version Requirement 'dash>=2.14.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	packages/skills/data-analyst/requirements.txt:5
MEDIUM	Unpinned Python dependency version Requirement 'dash-bootstrap-components>=1.5.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	packages/skills/data-analyst/requirements.txt:6
MEDIUM	Unpinned Dependencies in requirements.txt The `requirements.txt` file specifies minimum versions for Python packages (e.g., `pandas>=2.0.0`) rather than exact versions. This practice can lead to supply chain risks, as future updates to these libraries could introduce breaking changes, new vulnerabilities, or unexpected behavior. While not an immediate exploit, it increases the maintenance burden and the risk of future security issues. Pin all dependencies to exact versions (e.g., `pandas==2.0.0`). Use a dependency management tool like `pip-tools` to compile and manage pinned dependencies. Regularly audit and update dependencies to incorporate security patches while maintaining version control.	Static	requirements.txt:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/ebac6cea98176215.svg)](https://skillshield.io/report/ebac6cea98176215)