Trust Assessment
doc received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 2 critical, 4 high, 1 medium, and 2 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 16/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/doc/scripts/render_docx.py:101 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | cli-tool/components/skills/document-processing/doc/scripts/render_docx.py:106 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | cli-tool/components/skills/document-processing/doc/scripts/render_docx.py:106 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_cmd_no_check'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/doc/scripts/render_docx.py:101 | |
| HIGH | Path Traversal in output directory The `scripts/render_docx.py` script takes an `--output_dir` argument from user input (as indicated by `SKILL.md` and standard `argparse` usage). This argument is then used directly in `makedirs()` and `image.save()` calls within the `rasterize` function without proper sanitization against path traversal sequences (e.g., `../`). An attacker could specify a malicious `output_dir` like `../../etc` to write arbitrary files to sensitive system directories, potentially leading to privilege escalation, data corruption, or denial of service, assuming the agent has write permissions to those locations. Sanitize the `output_dir` argument to ensure it stays within an allowed base directory. This can be done by resolving the path (e.g., `pathlib.Path(output_dir).resolve()`) and then checking if it is a subdirectory of a trusted base path (e.g., using `path.is_relative_to(base_path)` or `os.path.commonpath`). | Static | scripts/render_docx.py:150 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 2 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| LOW | Unpinned Python dependencies The `SKILL.md` instructs users to install Python packages (`python-docx`, `pdf2image`) using `uv pip install` or `python3 -m pip install` without specifying exact versions. This can lead to non-deterministic builds and introduces a supply chain risk, as a future version of a dependency might introduce breaking changes or security vulnerabilities. Without version pinning, the skill's behavior could change unexpectedly or become insecure if a dependency is updated. Pin all Python dependencies to exact versions (e.g., `python-docx==1.1.0 pdf2image==1.17.0`) to ensure deterministic installations and mitigate risks from unexpected dependency updates. Consider using a `requirements.txt` file or similar lock file mechanism. | Static | SKILL.md:48 |
Scan History
Embed Code
[](https://skillshield.io/report/d91c5156869dab33)
Powered by SkillShield