Trust Assessment
slack-gif-creator received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 0 critical, 3 high, 8 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned Python dependency version, Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 53/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Path Traversal for Arbitrary File Read The skill uses `PIL.Image.open()` to load images, notably mentioned for 'user-uploaded images' in `SKILL.md` and for validating GIFs in `core/validators.py`. If the filename or path provided to `Image.open()` is directly derived from unvalidated user input, an attacker could use path traversal sequences (e.g., `../../../../etc/passwd`) to read arbitrary files from the system. This could lead to data exfiltration. Implement strict input validation and sanitization for any user-provided file paths. Ensure that file paths are confined to a designated upload directory using functions like `os.path.basename` or `pathlib.Path.name` combined with a secure base directory, rather than allowing arbitrary paths. | LLM | SKILL.md:37 | |
| HIGH | Potential Path Traversal for Arbitrary File Read (Validator) The `validate_gif` function in `core/validators.py` uses `PIL.Image.open(gif_path)`. If the `gif_path` argument is directly derived from unvalidated user input, an attacker could use path traversal sequences (e.g., `../../../../etc/shadow`) to read arbitrary files from the system. This poses a data exfiltration risk. Implement strict input validation and sanitization for any user-provided file paths. Ensure that `gif_path` is confined to a secure, designated directory and that only the filename (not the full path) is taken from user input, if at all. | LLM | core/validators.py:30 | |
| HIGH | Potential Path Traversal for Arbitrary File Write The `GIFBuilder.save()` method in `core/gif_builder.py` takes an `output_path` argument which is then passed to `imageio.imwrite()`. If this `output_path` is directly derived from unvalidated user input, an attacker could use path traversal sequences (e.g., `../../../../tmp/malicious.sh`) to write arbitrary files to arbitrary locations on the filesystem. If the content of the GIF frames can also be influenced by the user, this could lead to writing malicious scripts or configuration files, potentially enabling command injection or system compromise. Implement strict input validation and sanitization for any user-provided output file paths. Ensure that the output path is confined to a secure, non-executable directory, and that only the filename (not the full path) is taken from user input, if at all. Consider using a UUID or similar mechanism for filenames to prevent collisions and path manipulation. | LLM | core/gif_builder.py:159 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | cli-tool/components/skills/enterprise-communication/slack-gif-creator/core/easing.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | cli-tool/components/skills/enterprise-communication/slack-gif-creator/core/frame_composer.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | cli-tool/components/skills/enterprise-communication/slack-gif-creator/core/gif_builder.py:5 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pillow>=10.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/enterprise-communication/slack-gif-creator/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'imageio>=2.31.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/enterprise-communication/slack-gif-creator/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'imageio-ffmpeg>=0.4.9' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/enterprise-communication/slack-gif-creator/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'numpy>=1.24.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/enterprise-communication/slack-gif-creator/requirements.txt:4 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| LOW | Unpinned Dependencies in requirements.txt The `requirements.txt` file specifies dependencies using `>=` (e.g., `pillow>=10.0.0`). While this ensures a minimum version, it allows for automatic updates to newer minor or patch versions. This introduces a slight supply chain risk, as a future update to a dependency could inadvertently introduce a vulnerability or breaking change without explicit review. Pin all dependencies to exact versions (e.g., `pillow==10.0.0`) to ensure reproducibility and prevent unexpected changes from upstream packages. Regularly review and update pinned versions. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/15aa79633ed78b92)
Powered by SkillShield