Trust Assessment
scientific-slides received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 3 critical, 6 high, 2 medium, and 2 low severity. Key findings include Arbitrary command execution, Dangerous tool allowed: Bash, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 23/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/scientific/scientific-slides/scripts/generate_slide_image.py:132 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/scientific/scientific-slides/scripts/validate_presentation.py:247 | |
| CRITICAL | Sensitive file content sent to external AI API The `generate_slide_image_ai.py` script base64 encodes the content of files specified by the `--attach` argument and sends them to the OpenRouter AI API. An attacker could manipulate the agent to attach sensitive files (e.g., `/etc/passwd`, `.env` files, SSH keys) that the agent has read access to, leading to their exfiltration to the third-party AI service. The `SKILL.md` explicitly instructs the LLM to `ls` directories to find files, which could be abused to discover sensitive paths for exfiltration. Implement strict allow-listing or sandboxing for file paths that can be attached. Only allow files from designated, non-sensitive directories (e.g., a temporary `figures/` directory created by the skill). Warn the user about data privacy implications when attaching files to external services. | LLM | scripts/generate_slide_image_ai.py:200 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | cli-tool/components/skills/scientific/scientific-slides/SKILL.md:1 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/scientific/scientific-slides/scripts/generate_slide_image.py:132 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_try_compile_latex'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/scientific/scientific-slides/scripts/validate_presentation.py:247 | |
| HIGH | LaTeX compilation allows arbitrary command execution The `validate_presentation.py` script executes `pdflatex` with a user-controlled `.tex` file path. LaTeX's `\write18` feature allows arbitrary shell commands to be executed during compilation. An attacker could provide a malicious `.tex` file containing `\write18{rm -rf /}` or similar commands, leading to arbitrary command execution on the host system. Although `subprocess.run` is used with a list (mitigating shell injection), `pdflatex` itself is the vector for command execution. Run `pdflatex` in a restricted mode (e.g., `pdflatex -shell-escape=0` or `pdflatex -no-shell-escape`) to disable `\write18`. Alternatively, execute LaTeX compilation within a tightly sandboxed environment. | LLM | scripts/validate_presentation.py:290 | |
| HIGH | Path traversal allows arbitrary file writes for output files The `pdf_to_images.py` and `slides_to_pdf.py` scripts construct output file paths (`output_prefix`, `output_path`) directly from user input without sanitization. An attacker could provide a path containing traversal sequences (e.g., `../../../../etc/malicious_file`) to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or placing malicious executables. Sanitize all user-provided file paths to prevent path traversal. Use `pathlib.Path.resolve()` or similar methods to ensure paths are strictly within an allowed output directory, or implement explicit checks for `..` components. | LLM | scripts/pdf_to_images.py:100 | |
| HIGH | Path traversal allows arbitrary file writes for output files The `pdf_to_images.py` and `slides_to_pdf.py` scripts construct output file paths (`output_prefix`, `output_path`) directly from user input without sanitization. An attacker could provide a path containing traversal sequences (e.g., `../../../../etc/malicious_file`) to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or placing malicious executables. Sanitize all user-provided file paths to prevent path traversal. Use `pathlib.Path.resolve()` or similar methods to ensure paths are strictly within an allowed output directory, or implement explicit checks for `..` components. | LLM | scripts/slides_to_pdf.py:140 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | cli-tool/components/skills/scientific/scientific-slides/scripts/generate_slide_image_ai.py:43 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| LOW | Python scripts use unpinned dependencies The Python scripts rely on external libraries like `requests`, `Pillow`, `PyMuPDF`, `PyPDF2`, `python-pptx`, and `python-dotenv` without specifying exact versions. This can lead to supply chain vulnerabilities if a new version of a dependency introduces a breaking change, a security flaw, or is maliciously altered. Create a `requirements.txt` file with pinned versions for all Python dependencies (e.g., `Pillow==9.5.0`) and ensure it is used during deployment. | LLM | scripts/generate_slide_image.py |
Scan History
Embed Code
[](https://skillshield.io/report/f5af18995739cf2b)
Powered by SkillShield