Security Audit
dkyazzentwatwa/chatgpt-skills:color-palette-extractor
github.com/dkyazzentwatwa/chatgpt-skillsTrust Assessment
dkyazzentwatwa/chatgpt-skills:color-palette-extractor received a trust score of 66/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 0 high, 5 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Arbitrary File Write via Path Traversal, Unpinned Dependencies in requirements.txt.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 24, 2026 (commit d4bad335). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Python dependency version Requirement 'pillow>=10.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | color-palette-extractor/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'scikit-learn>=1.3.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | color-palette-extractor/scripts/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'numpy>=1.24.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | color-palette-extractor/scripts/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'matplotlib>=3.7.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | color-palette-extractor/scripts/requirements.txt:4 | |
| MEDIUM | Arbitrary File Write via Path Traversal The skill accepts arbitrary file paths for output files (CSS, JSON, image swatches, visualizations) directly from user input via command-line arguments. No path sanitization or validation is performed on these paths. This allows a malicious actor to specify paths containing directory traversal sequences (e.g., `../`) to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or user data, leading to denial of service or other system instability. While the content written is not inherently malicious, the ability to write to arbitrary locations is a significant security risk. Implement robust path validation and sanitization for all user-provided file paths. Restrict output paths to a designated, sandboxed directory. Consider using a library that safely handles file paths or explicitly resolving and validating paths to prevent traversal. For example, ensure the resolved path is within an allowed base directory. | LLM | scripts/color_palette_extractor.py:200 | |
| INFO | Unpinned Dependencies in requirements.txt The `requirements.txt` file specifies dependencies using minimum versions (`>=`) rather than exact versions (`==`). While common, this practice can lead to non-deterministic builds, unexpected behavior due to breaking changes in newer versions of dependencies, or potential security vulnerabilities if a future version of a dependency introduces a flaw. Pinning dependencies to exact versions ensures reproducibility and reduces the risk of unforeseen issues. Pin all dependencies to exact versions (e.g., `pillow==10.0.0`) to ensure consistent and reproducible environments. Regularly update and review pinned dependencies for security patches. | LLM | scripts/requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/807d1c3710d3ff86)
Powered by SkillShield