Security Audit

ml-paper-writing

github.com/davila7/claude-code-templates

AI SkillCommit 458b11867eae

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

ml-paper-writing received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 9 findings: 4 critical, 3 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Command Injection and Excessive Permissions via Shell Commands.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

91%

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

5 findings

Filesystem Write

6 findings

Shell Execution

6 findings

Dynamic Code

5 findings

Excessive Permissions

6 findings

Security Findings9

Severity	Finding	Layer	Location
CRITICAL	Command Injection and Excessive Permissions via Shell Commands The skill explicitly instructs the AI agent to execute arbitrary shell commands (`ls`, `find`, `grep`, `cp`, `cd`, `latexmk`, `pdflatex`, `bibtex`) as part of its workflow. This grants the agent broad filesystem access and the ability to execute external programs, which is a severe command injection vulnerability. An attacker could potentially craft malicious input that is then used in these commands, or the commands themselves could be used to access, modify, or delete sensitive files on the host system. Remove direct execution of shell commands. Instead, define specific, sandboxed tool functions for file system interaction (e.g., `read_file(path)`, `list_directory(path)`) that operate within a restricted scope and validate all inputs. Avoid `xargs` or other constructs that can lead to arbitrary command execution.	Static	SKILL.md:90
CRITICAL	Command Injection and Excessive Permissions via Shell Commands The skill explicitly instructs the AI agent to execute arbitrary shell commands (`ls`, `find`, `grep`, `cp`, `cd`, `latexmk`, `pdflatex`, `bibtex`) as part of its workflow. This grants the agent broad filesystem access and the ability to execute external programs, which is a severe command injection vulnerability. An attacker could potentially craft malicious input that is then used in these commands, or the commands themselves could be used to access, modify, or delete sensitive files on the host system. Remove direct execution of shell commands. Instead, define specific, sandboxed tool functions for file system interaction (e.g., `read_file(path)`, `list_directory(path)`) that operate within a restricted scope and validate all inputs. Avoid `xargs` or other constructs that can lead to arbitrary command execution.	Static	SKILL.md:108
CRITICAL	Command Injection and Excessive Permissions via Shell Commands The skill explicitly instructs the AI agent to execute arbitrary shell commands (`ls`, `find`, `grep`, `cp`, `cd`, `latexmk`, `pdflatex`, `bibtex`) as part of its workflow. This grants the agent broad filesystem access and the ability to execute external programs, which is a severe command injection vulnerability. An attacker could potentially craft malicious input that is then used in these commands, or the commands themselves could be used to access, modify, or delete sensitive files on the host system. Remove direct execution of shell commands. Instead, define specific, sandboxed tool functions for file system interaction (e.g., `copy_directory(source, dest)`, `change_directory(path)`) that operate within a restricted scope and validate all inputs.	Static	SKILL.md:395
CRITICAL	Command Injection and Excessive Permissions via Shell Commands The skill explicitly instructs the AI agent to execute arbitrary shell commands (`ls`, `find`, `grep`, `cp`, `cd`, `latexmk`, `pdflatex`, `bibtex`) as part of its workflow. This grants the agent broad filesystem access and the ability to execute external programs, which is a severe command injection vulnerability. An attacker could potentially craft malicious input that is then used in these commands, or the commands themselves could be used to access, modify, or delete sensitive files on the host system. Remove direct execution of shell commands. Instead, define specific, sandboxed tool functions for compiling LaTeX (e.g., `compile_latex(file)`) that operate within a restricted environment and validate all inputs. Avoid direct calls to `latexmk`, `pdflatex`, or `bibtex`.	Static	SKILL.md:412
HIGH	Data Exfiltration via `grep` commands The skill instructs the AI agent to execute `grep` commands with broad search scopes (`find .`, `grep -r`) to extract information from files. Specifically, `grep -l -i "result\\|conclusion\\|finding"` and `grep -r "arxiv\\|doi\\|cite"` could inadvertently exfiltrate sensitive data if the files being searched contain proprietary research results, internal documentation, or confidential citation information. The output of these commands would be directly accessible to the AI agent. Replace direct `grep` commands with a sandboxed file content analysis tool that can redact or filter sensitive information. Ensure that the agent's access to file content is strictly limited to what is necessary for its task and that any extracted data is handled securely.	Static	SKILL.md:90
HIGH	Data Exfiltration via `grep` commands The skill instructs the AI agent to execute `grep` commands with broad search scopes (`find .`, `grep -r`) to extract information from files. Specifically, `grep -l -i "result\\|conclusion\\|finding"` and `grep -r "arxiv\\|doi\\|cite"` could inadvertently exfiltrate sensitive data if the files being searched contain proprietary research results, internal documentation, or confidential citation information. The output of these commands would be directly accessible to the AI agent. Replace direct `grep` commands with a sandboxed file content analysis tool that can redact or filter sensitive information. Ensure that the agent's access to file content is strictly limited to what is necessary for its task and that any extracted data is handled securely.	Static	SKILL.md:108
HIGH	LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 5 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion.	LLM	(sanity check)
MEDIUM	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	cli-tool/components/mcps/devtools/figma-dev-mode.json:4
LOW	Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	cli-tool/components/mcps/devtools/jfrog.json:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/15b7966136a97972.svg)](https://skillshield.io/report/15b7966136a97972)