Security Audit
dkyazzentwatwa/chatgpt-skills:barcode-generator
github.com/dkyazzentwatwa/chatgpt-skillsTrust Assessment
dkyazzentwatwa/chatgpt-skills:barcode-generator received a trust score of 41/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 0 critical, 3 high, 2 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Arbitrary File Write via Path Traversal in Output Paths, Arbitrary File Write via Path Traversal in Batch Generation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 24, 2026 (commit d4bad335). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Write via Path Traversal in Output Paths The skill constructs file paths for barcode output using user-provided strings (e.g., `output` parameter, `filename_column` from CSV, or `code` in batch lists) without sufficient sanitization. This allows an attacker to inject path traversal sequences (e.g., `../../`) to write files to arbitrary locations on the filesystem where the agent has write permissions. This could lead to overwriting critical files, writing malicious scripts, or exfiltrating data by writing it to an accessible directory. Sanitize all user-controlled file path components to prevent path traversal. Before passing `output` or constructing filenames from CSV data, ensure that the path is normalized and restricted to an allowed output directory. For example, use `pathlib.Path(output_dir).joinpath(Path(filename).name)` to ensure only the filename part is used and it's placed within the designated directory, or validate that the resolved path remains within a safe base directory. | Static | scripts/barcode_gen.py:78 | |
| HIGH | Arbitrary File Write via Path Traversal in Batch Generation The `batch_generate` method constructs output file paths using values from a CSV file (`filename_column`) without sufficient sanitization. If an attacker controls the content of the CSV file, they can inject path traversal sequences (e.g., `../../`) into the `filename_column` to write files to arbitrary locations on the filesystem. This is a critical vulnerability that can lead to overwriting system files, writing malicious scripts, or data exfiltration. When constructing file paths from user-provided or external data (like CSV columns), ensure that the filename component is strictly sanitized. Use `pathlib.Path(output_dir).joinpath(Path(filename_base).name)` to extract only the base filename and place it securely within the intended output directory. Additionally, consider validating the `output_dir` itself to ensure it's a safe and intended location. | Static | scripts/barcode_gen.py:204 | |
| HIGH | Arbitrary File Write via Path Traversal in Batch List Generation The `batch_generate_list` method constructs output file paths using the `code` value from the input list. If the `code` contains path traversal sequences (e.g., `../../`), an attacker could write files to arbitrary locations on the filesystem. This is a critical vulnerability that can lead to overwriting system files, writing malicious scripts, or data exfiltration. When constructing file paths from user-provided `code` values, ensure that the `code` is strictly sanitized to prevent path traversal. For example, use `pathlib.Path(output_dir).joinpath(Path(code).name)` to extract only the base filename and place it securely within the intended output directory. Alternatively, filter out any directory separators from the `code` string before using it in the path. | Static | scripts/barcode_gen.py:230 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-barcode>=0.15.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | barcode-generator/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'Pillow>=10.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | barcode-generator/scripts/requirements.txt:2 |
Scan History
Embed Code
[](https://skillshield.io/report/274f47a7413a236e)
Powered by SkillShield