Security Audit
amumulam/diataxis-writing:root
github.com/amumulam/diataxis-writingTrust Assessment
amumulam/diataxis-writing:root received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 4 critical, 6 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Command Injection via subprocess.run with user-controlled arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 28, 2026 (commit e0caf7c9). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | scripts/output-handler.py:134 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | scripts/output-handler.py:245 | |
| CRITICAL | Command Injection via subprocess.run with user-controlled arguments The `scripts/output-handler.py` script uses `subprocess.run` to execute external commands, specifically `git`. While the full `execute_output` method is truncated, the `_check_git` function (line 109) confirms `subprocess.run` usage. The skill's description in `SKILL.md` implies that user-controlled inputs such as `file_path`, `commit_message`, `branch`, and `repo_url` will be used in `git` commands (e.g., `git add`, `git commit`, `git push`). If these user inputs are passed directly to `subprocess.run` without proper sanitization or shell escaping, an attacker can inject arbitrary shell commands. Ensure all user-controlled inputs passed to `subprocess.run` are properly sanitized and escaped. Prefer passing arguments as a list (as shown in the snippet) rather than a single shell string, and avoid `shell=True` unless absolutely necessary. Implement strict validation for all user-provided paths, messages, and branch names. | LLM | scripts/output-handler.py:109 | |
| CRITICAL | Command Injection via shell command examples in SKILL.md The `SKILL.md` file explicitly instructs the LLM to construct and execute shell commands using user-controlled input. For example, it shows `python3 scripts/diagnose.py <document content or file path>` (line 30) and `node /path/to/mcporter/dist/cli.js call feishu doc.create '{"title":"...", "content":"..."}'` (line 180). If the LLM directly interpolates user-provided values for `<document content or file path>`, `title`, or `content` into these shell command strings without proper escaping, an attacker can inject arbitrary shell commands, leading to remote code execution. The LLM orchestrating this skill must strictly sanitize and escape all user-controlled inputs before incorporating them into shell commands. It is recommended to use a safe command execution mechanism that passes arguments as a list rather than a single string, or to implement robust input validation and escaping for shell contexts. | LLM | SKILL.md:180 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_check_git'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | scripts/output-handler.py:134 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_output_feishu'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | scripts/output-handler.py:245 | |
| HIGH | Excessive Permissions (Access to /root directory) The `scripts/output-handler.py` script hardcodes paths within the `/root/` directory: `/root/config/mcporter.json` for configuration and `/root/.openclaw/workspace/docs/` as a default output path. Accessing the `/root/` directory implies that the skill expects to run with root or highly privileged access. This constitutes excessive permissions, increasing the potential impact and blast radius if other vulnerabilities (e.g., command injection) are exploited. Avoid hardcoding paths within `/root/`. Use user-specific or temporary directories for output, and store configuration files in more appropriate, less privileged locations (e.g., `/etc/` for system-wide config, or user's home directory `~/.config/`). Ensure the skill runs with the principle of least privilege. | LLM | scripts/output-handler.py:40 | |
| HIGH | Supply Chain Risk (Unpinned npx dependency) The `SKILL.md` file suggests using `npx mcporter call feishu ...` (line 180). `npx` by default fetches and executes the latest version of a package if not explicitly pinned. This introduces a significant supply chain risk, as a compromised or malicious update to the `mcporter` package could be automatically downloaded and executed without explicit review, potentially leading to arbitrary code execution or data exfiltration. Pin the version of `mcporter` when using `npx` (e.g., `npx mcporter@1.2.3 call ...`) to ensure a consistent and reviewed version is always used. Regularly audit and update pinned dependencies to mitigate known vulnerabilities. | LLM | SKILL.md:180 | |
| HIGH | Data Exfiltration / Credential Harvesting (Access to sensitive configuration files) The `scripts/output-handler.py` script reads configuration files such as `/root/config/mcporter.json` and `~/.mcporter/mcporter.json`. These files are explicitly stated to contain MCP server configurations, which are highly likely to include sensitive credentials (e.g., API keys, tokens) for various services (Feishu, GitHub, Notion, Google Docs). While the script uses these credentials for legitimate purposes, their direct access by the script, especially when combined with command injection vulnerabilities, creates a high risk of data exfiltration or credential harvesting if an attacker can manipulate the script's execution or output. Implement strict access controls for configuration files containing credentials. Ensure that credentials are not logged or exposed in error messages. If possible, use secure credential management systems (e.g., environment variables, secrets managers) instead of storing them directly in files. Combine this with robust input sanitization to prevent command injection that could lead to credential exfiltration. | LLM | scripts/output-handler.py:80 | |
| HIGH | Path Traversal Vulnerability in File Read The `scripts/diagnose.py` script takes a file path as an argument (`args.file`) and directly uses it in an `open()` call (`with open(args.file, 'r', encoding='utf-8') as f: content = f.read()`). If the LLM passes user-controlled input to `args.file` without proper sanitization, an attacker can provide a path like `../../../../etc/passwd` to read arbitrary files on the system, leading to information disclosure. Implement strict path sanitization and validation for `args.file`. Ensure that the provided path is within an expected and allowed directory, and prevent directory traversal characters (e.g., `..`, `/`). Consider using `os.path.abspath` and `os.path.commonprefix` to validate paths, or restrict file access to a specific, sandboxed directory. | LLM | scripts/diagnose.py:140 |
Scan History
Embed Code
[](https://skillshield.io/report/c9e0dd0138030b41)
Powered by SkillShield