Security Audit
dkyazzentwatwa/chatgpt-skills:image-comparison-tool
github.com/dkyazzentwatwa/chatgpt-skillsTrust Assessment
dkyazzentwatwa/chatgpt-skills:image-comparison-tool received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 7 findings: 0 critical, 0 high, 6 medium, and 1 low severity. Key findings include Unpinned Python dependency version, Arbitrary File Write via Unsanitized Output Path, Loose Dependency Version Pinning.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Dependency Graph layer scored lowest at 65/100, indicating areas for improvement.
Last analyzed on February 24, 2026 (commit d4bad335). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Python dependency version Requirement 'opencv-python>=4.8.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | image-comparison-tool/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'scikit-image>=0.21.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | image-comparison-tool/scripts/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pillow>=10.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | image-comparison-tool/scripts/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'numpy>=1.24.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | image-comparison-tool/scripts/requirements.txt:4 | |
| MEDIUM | Unpinned Python dependency version Requirement 'matplotlib>=3.7.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | image-comparison-tool/scripts/requirements.txt:5 | |
| MEDIUM | Arbitrary File Write via Unsanitized Output Path The `create_comparison` method in `ImageComparisonTool` uses `matplotlib.pyplot.savefig` with an output path directly provided by user input (`args.output`) without any sanitization or restriction. This allows an attacker to specify an arbitrary file path, potentially leading to path traversal and overwriting or creating files in unintended locations on the filesystem, given sufficient process permissions. For example, an attacker could provide `../../../../tmp/malicious.png` as the output path. Sanitize the `output` path to prevent directory traversal. This can be done by ensuring the path is within an allowed output directory, normalizing the path, or rejecting paths containing `..` or absolute paths. For example, use `os.path.basename` to only allow writing to the current directory or a specified output directory, or use `pathlib.Path.resolve()` with a base directory check to ensure it's within an expected output root. | Static | scripts/image_comparison.py:90 | |
| LOW | Loose Dependency Version Pinning The `requirements.txt` file uses loose version pinning (`>=`) for all dependencies. While this allows for minor updates, it increases the risk of inadvertently introducing vulnerabilities or breaking changes from newer versions of libraries. For production environments, exact version pinning (`==`) is generally recommended to ensure deterministic builds and prevent unexpected behavior or security regressions. Pin all dependencies to exact versions (e.g., `opencv-python==4.8.0`) to ensure deterministic builds and prevent unexpected changes from upstream packages. Regularly audit and update dependencies to incorporate security fixes. | Static | scripts/requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/1c9aa05424fb2f06)
Powered by SkillShield