Trust Assessment
slack-gif-creator received a trust score of 40/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 0 critical, 1 high, 6 medium, and 1 low severity. Key findings include Unpinned Python dependency version, Network egress to untrusted endpoints, Covert behavior / concealment directives.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Write via GIFBuilder.save The `GIFBuilder.save` method in `core/gif_builder.py` writes the generated GIF to an `output_path` provided as an argument. If this `output_path` is derived directly from untrusted user input without proper sanitization or validation, an attacker could specify an arbitrary file path on the system. This could lead to overwriting existing files, creating new files in sensitive directories, or potentially executing code if the path points to a special device file or a location where executable content can be placed and later triggered. For an AI agent skill, it is a credible exploit path for a user to request 'save the GIF to /etc/pwned.gif'. Implement strict validation and sanitization for the `output_path` parameter. Restrict output paths to a designated, non-sensitive directory (e.g., a temporary directory or a user-specific output folder). Prevent path traversal sequences (`../`) and absolute paths. If possible, only allow saving to a predefined set of safe filenames or generate unique, secure filenames internally. | Static | core/gif_builder.py:128 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pillow>=10.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/creative-design/slack-gif-creator/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'imageio>=2.31.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/creative-design/slack-gif-creator/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'imageio-ffmpeg>=0.4.9' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/creative-design/slack-gif-creator/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'numpy>=1.24.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/creative-design/slack-gif-creator/requirements.txt:4 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Arbitrary File Read (Metadata) via validators.py The `check_slack_size` and `validate_gif` functions in `core/validators.py` accept a `gif_path` argument and perform file operations such as `gif_path.stat().st_size` and `Image.open(gif_path)`. If `gif_path` is directly influenced by untrusted user input without validation, an attacker could provide paths to arbitrary files on the system. While these functions primarily extract metadata (file size, dimensions, frame count) and do not expose file content directly, confirming the existence, size, and basic properties of arbitrary files (e.g., `/etc/passwd`, `/var/log/auth.log`) can be an information disclosure vulnerability. This could aid an attacker in mapping the file system or identifying sensitive files. Implement strict validation and sanitization for the `gif_path` parameter. Ensure that the path refers only to files within an expected and safe directory, such as a temporary upload folder. Prevent path traversal sequences (`../`) and absolute paths. If the skill is intended to process user-uploaded files, ensure these files are stored in an isolated, non-sensitive location before validation. | Static | core/validators.py:10 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| INFO | Unpinned Dependencies in requirements.txt The `requirements.txt` file specifies dependencies using `>=` operators (e.g., `pillow>=10.0.0`). This allows for automatic updates to newer versions, which could introduce breaking changes, unexpected behavior, or even security vulnerabilities if a malicious update is published to a package. Best practice is to pin dependencies to exact versions (e.g., `pillow==10.0.0`) to ensure deterministic builds and prevent supply chain risks. Pin all dependencies to exact versions using `==` (e.g., `pillow==10.0.0`). Consider using a dependency management tool like Poetry or Pipenv, or generating a `requirements.txt` with exact versions using `pip freeze > requirements.txt` after verifying the working environment. | Static | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/423d002fe255c1dc)
Powered by SkillShield