Security Audit

safe-file-reader

github.com/cisco-ai-defense/skill-scanner

AI SkillCommit de9371289c23

CRITICAL

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

safe-file-reader received a trust score of 25/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Path Traversal leading to Arbitrary File Read (read_file), Path Traversal leading to Arbitrary File Read (read_config), LLM analysis found no issues despite critical deterministic findings.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The static_code_analysis layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 11, 2026 (commit de937128). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

40%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Filesystem Write

2 findings

Dynamic Code

2 findings

Security Findings3

Severity	Finding	Layer	Location
CRITICAL	Path Traversal leading to Arbitrary File Read (read_file) The `read_file` function constructs a file path using `os.path.join` with an untrusted `filename` input. `os.path.join` does not sanitize path traversal sequences (e.g., `../`). An attacker can provide `../../../etc/passwd` as the `filename` to read arbitrary files outside the intended `/home/user/documents` directory, leading to data exfiltration. Implement robust path validation to ensure the resolved file path remains strictly within the intended base directory. Use `os.path.abspath` and verify that the resulting path starts with the absolute path of the base directory, or use `pathlib.Path.resolve(strict=True)` and check if it's a subpath of the base directory. For example, `resolved_path = (Path(base_dir) / filename).resolve(); if not resolved_path.is_relative_to(base_dir): raise ValueError('Path traversal attempt')`.	Unknown	read.py:19
CRITICAL	Path Traversal leading to Arbitrary File Read (read_config) The `read_config` function directly constructs a file path using an f-string with an untrusted `config_name` input. This allows an attacker to inject path traversal sequences (e.g., `../`) to read arbitrary files outside the intended `/etc/app/` directory. For example, providing `../passwd` as `config_name` would attempt to read `/etc/passwd`, leading to data exfiltration. Avoid direct concatenation of untrusted input into file paths. If configuration files must be read, ensure the input `config_name` is strictly validated (e.g., only alphanumeric characters, no path separators) and that the file is read from a known, restricted directory. Alternatively, map `config_name` to a predefined set of allowed configuration files.	Unknown	read.py:28
HIGH	LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 2 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion.	Unknown	(sanity check)

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f4b9fd0d46cf06ae.svg)](https://skillshield.io/report/f4b9fd0d46cf06ae)