Security Audit

pdf

github.com/davila7/claude-code-templates

AI SkillCommit 458b11867eae

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

pdf received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 4 findings: 1 critical, 3 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via Shell Commands in Documentation, Command Injection via `pdf2image` in `convert_pdf_to_images.py`, Arbitrary File Read via Unsanitized Input Paths.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.

Last analyzed on February 20, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

25%

Behavioral Risk Signals

Filesystem Write

4 findings

Shell Execution

4 findings

Dynamic Code

2 findings

Security Findings4

Severity	Finding	Layer	Location
CRITICAL	Potential Command Injection via Shell Commands in Documentation The `SKILL.md` documentation provides examples of direct shell command execution using `pdftotext`, `qpdf`, `pdftk`, and `pdfimages`. If the AI agent constructs these commands by directly embedding unsanitized user input (e.g., filenames), an attacker could inject arbitrary shell commands. For example, providing `my_doc.pdf; rm -rf /` as a filename could lead to critical system compromise. The AI agent orchestrator must strictly sanitize all user-provided inputs before constructing and executing shell commands. Consider using a safe wrapper (e.g., `subprocess.run` with `shell=False` in Python) and validating inputs against a whitelist of allowed characters and patterns, or restricting file operations to a sandboxed directory.	LLM	SKILL.md:150
HIGH	Command Injection via `pdf2image` in `convert_pdf_to_images.py` The `scripts/convert_pdf_to_images.py` script uses `pdf2image.convert_from_path`, which internally relies on `poppler-utils` command-line tools (e.g., `pdftoppm`). If the `pdf_path` or `output_dir` arguments passed to this script are derived from unsanitized user input, it could lead to command injection, allowing an attacker to execute arbitrary shell commands. Implement robust input validation and sanitization for `pdf_path` and `output_dir` arguments. Ensure that paths are restricted to expected directories and do not contain path traversal sequences (e.g., `../`) or shell metacharacters. Consider using a sandboxed environment for executing such commands.	LLM	scripts/convert_pdf_to_images.py:10
HIGH	Arbitrary File Read via Unsanitized Input Paths Multiple Python scripts (e.g., `check_bounding_boxes.py`, `check_fillable_fields.py`, `convert_pdf_to_images.py`, `create_validation_image.py`, `extract_form_field_info.py`, `fill_fillable_fields.py`, `fill_pdf_form_with_annotations.py`) accept file paths as command-line arguments (`sys.argv`). If the AI agent can be prompted to pass arbitrary file paths (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) to these scripts, it could lead to data exfiltration by reading sensitive system files. While some scripts might fail to process non-PDF/JSON/image files, the attempt to read is still a security risk. The AI agent orchestrator must strictly validate and sanitize all file paths provided by users. Paths should be restricted to a designated working directory, disallowing path traversal sequences (`../`) and absolute paths. Implement a whitelist of allowed file extensions and ensure files are within the expected scope.	LLM	scripts/check_bounding_boxes.py:60
HIGH	Arbitrary File Write via Unsanitized Output Paths Several Python scripts (e.g., `convert_pdf_to_images.py`, `create_validation_image.py`, `extract_form_field_info.py`, `fill_fillable_fields.py`, `fill_pdf_form_with_annotations.py`) write output to file paths specified as command-line arguments. If the AI agent can be prompted to provide unsanitized output paths (e.g., `../../../../etc/malicious_file`, `/tmp/output.png; rm -rf /`), an attacker could write arbitrary files to sensitive locations, potentially overwriting system files or leading to denial of service. The AI agent orchestrator must strictly validate and sanitize all output file paths. Output should be restricted to a designated, isolated working directory. Disallow path traversal sequences (`../`) and absolute paths. Ensure that the output directory is not user-controlled or is properly sandboxed.	LLM	scripts/convert_pdf_to_images.py:20

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a356410af06ef8be.svg)](https://skillshield.io/report/a356410af06ef8be)