Trust Assessment
venue-templates received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 4 critical, 6 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous tool allowed: Bash, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/scientific/venue-templates/scripts/validate_format.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/scientific/venue-templates/scripts/validate_format.py:117 | |
| CRITICAL | Command Injection via User-Controlled File Path The `validate_format.py` script executes external commands (`pdfinfo`, `pdffonts`) using `subprocess.run` where the file path (`pdf_path`) is directly derived from user input (`--file` argument). Although `subprocess.run` with a list of arguments is generally safer, the declared 'Bash' permission for this skill implies the host LLM can execute arbitrary shell commands. An attacker could craft a malicious `--file` argument (e.g., 'my_doc.pdf; rm -rf /') which, if the LLM invokes the Python script via a shell (e.g., `os.system` or `subprocess.run(..., shell=True)`), could lead to arbitrary command execution on the host system. Sanitize or validate the `pdf_path` argument to ensure it does not contain shell metacharacters before passing it to `subprocess.run`. Alternatively, ensure the Python script is always invoked directly without a shell, and consider using a safer PDF parsing library instead of external commands if possible. Given the 'Bash' permission, robust input validation is crucial. | Static | scripts/validate_format.py:64 | |
| CRITICAL | Command Injection via User-Controlled File Path The `validate_format.py` script executes external commands (`pdffonts`) using `subprocess.run` where the file path (`pdf_path`) is directly derived from user input (`--file` argument). Similar to the `pdfinfo` call, this presents a command injection vulnerability if the LLM invokes the Python script via a shell with a malicious `--file` argument. Sanitize or validate the `pdf_path` argument to ensure it does not contain shell metacharacters before passing it to `subprocess.run`. Alternatively, ensure the Python script is always invoked directly without a shell, and consider using a safer PDF parsing library instead of external commands if possible. Given the 'Bash' permission, robust input validation is crucial. | Static | scripts/validate_format.py:102 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | cli-tool/components/skills/scientific/venue-templates/SKILL.md:1 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_pdf_info'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/scientific/venue-templates/scripts/validate_format.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_fonts'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/scientific/venue-templates/scripts/validate_format.py:117 | |
| HIGH | Arbitrary File Write via User-Controlled Output Path The `customize_template.py` script allows writing content to an arbitrary file path specified by the `--output` argument or interactive user input. An attacker could specify a sensitive system file path (e.g., `/etc/passwd`, `~/.bashrc`) to overwrite or corrupt it, leading to denial of service, privilege escalation, or other system compromise. The skill's declared 'Write' permission makes this exploit directly possible. Restrict the output path to a designated, sandboxed directory (e.g., a 'generated_templates' subdirectory within the skill's own scope). Do not allow arbitrary paths from user input. Validate that the `output_path` is within the allowed directory before opening the file for writing. | Static | scripts/customize_template.py:68 | |
| HIGH | Arbitrary File Write via User-Controlled Report Path The `validate_format.py` script allows writing a validation report to an arbitrary file path specified by the `--report` argument. Similar to the `customize_template.py` script, this could be exploited by an attacker to overwrite or corrupt sensitive system files or user data. The skill's declared 'Write' permission makes this exploit directly possible. Restrict the report path to a designated, sandboxed directory (e.g., a 'reports' subdirectory within the skill's own scope). Do not allow arbitrary paths from user input. Validate that the `report_path` is within the allowed directory before opening the file for writing. | Static | scripts/validate_format.py:169 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 4 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/c0a0b79ad9bd53de)
Powered by SkillShield