Security Audit

literature-review

github.com/davila7/claude-code-templates

AI SkillCommit 458b11867eae

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

literature-review received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 11 findings: 4 critical, 4 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous tool allowed: Bash, Dangerous call: subprocess.run().

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 1/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

33%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

8 findings

Dynamic Code

1 finding

Excessive Permissions

2 findings

Security Findings11

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	cli-tool/components/skills/scientific/literature-review/scripts/generate_pdf.py:46
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	cli-tool/components/skills/scientific/literature-review/scripts/generate_pdf.py:91
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	cli-tool/components/skills/scientific/literature-review/scripts/generate_pdf.py:110
CRITICAL	Command Injection / Arbitrary File Operations in PDF Generation Script The `scripts/generate_pdf.py` script uses `subprocess.run` to execute the `pandoc` command-line tool. Arguments passed to this script, specifically `markdown_file` (input file), `output_pdf` (output file, derived from `markdown_file` by default), `citation_style` (CSL file path), and `template` (LaTeX template file path), are taken directly from `sys.argv` without proper sanitization or validation. If an attacker can control these arguments (e.g., by providing malicious filenames or paths in their prompt to the LLM), they can achieve: 1. Arbitrary File Write: By manipulating `markdown_file` to point to a sensitive location (e.g., `/etc/passwd`), the default `output_pdf` will attempt to write to a path like `/etc/passwd.pdf`, potentially overwriting or creating files in sensitive system directories. 2. Arbitrary File Read / Information Disclosure: By manipulating `markdown_file`, `citation_style`, or `template` to point to sensitive system files (e.g., `/etc/passwd`), `pandoc` will attempt to read and process these files. This could lead to information disclosure through error messages, logs, or by embedding the file's content into the generated PDF. The skill's declared `Bash` permission allows the execution of this vulnerable script, making this a critical exploit path. Implement robust input validation and sanitization for all arguments passed to `generate_pdf.py` that originate from untrusted sources. Specifically: 1. File Paths (`markdown_file`, `output_pdf`, `template`, `citation_style`): Validate paths to ensure they are within expected, non-sensitive directories and do not contain path traversal sequences (e.g., `../`). For output files, ensure they are written to a sandboxed, temporary, or user-specific directory. 2. Whitelisting: For `citation_style` and `template`, consider using a whitelist of allowed values or paths instead of directly using user input. 3. Argument Parsing: The `main` function's argument parsing is incomplete (e.g., `--output` and `--template` flags are not fully handled). Ensure all intended command-line arguments are correctly parsed and validated before being passed to the `generate_pdf` function.	LLM	scripts/generate_pdf.py:30
HIGH	Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints.	Static	cli-tool/components/skills/scientific/literature-review/SKILL.md:1
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'generate_pdf'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	cli-tool/components/skills/scientific/literature-review/scripts/generate_pdf.py:46
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'generate_pdf'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	cli-tool/components/skills/scientific/literature-review/scripts/generate_pdf.py:91
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_dependencies'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	cli-tool/components/skills/scientific/literature-review/scripts/generate_pdf.py:110
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	cli-tool/components/skills/scientific/literature-review/scripts/verify_citations.py:8
MEDIUM	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	cli-tool/components/mcps/devtools/figma-dev-mode.json:4
LOW	Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	cli-tool/components/mcps/devtools/jfrog.json:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/25693bacdfa1d39d.svg)](https://skillshield.io/report/25693bacdfa1d39d)