Security Audit
dkyazzentwatwa/chatgpt-skills:named-entity-extractor
github.com/dkyazzentwatwa/chatgpt-skillsTrust Assessment
dkyazzentwatwa/chatgpt-skills:named-entity-extractor received a trust score of 41/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Arbitrary File Read/Write via User-Controlled Paths, Potential Command Injection/Supply Chain Risk via spaCy Model Download.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 24, 2026 (commit d4bad335). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary File Read/Write via User-Controlled Paths The skill allows reading from and writing to arbitrary file paths on the host system. The `extract_file`, `extract_batch`, `to_csv`, `to_json`, and `highlight_text` methods take `filepath`, `folder`, or `output` arguments directly from user input (as indicated by CLI examples in SKILL.md). An attacker could exploit this to read sensitive system files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, environment variables from `/proc/self/environ`) or write malicious content to arbitrary locations, potentially leading to data exfiltration, denial of service, or remote code execution. Implement strict input validation and sanitization for all file paths. Restrict file operations to a designated, isolated directory (e.g., a sandbox). Avoid directly using user-provided paths for file I/O. If file access is necessary, use a allowlist of permitted file types and locations, and ensure paths are canonicalized and checked against security boundaries. | Static | scripts/entity_extractor.py:109 | |
| HIGH | Potential Command Injection/Supply Chain Risk via spaCy Model Download The `EntityExtractor` class's `__init__` method takes a `model` argument which is directly passed to `spacy.cli.download()`. This function typically uses `pip install` internally. If an attacker can control the `model` parameter, they could potentially inject malicious commands into the `pip install` call (e.g., `pip install 'malicious_package; rm -rf /'`) or force the installation of a malicious package from a custom index or a typosquatted package. While modern `pip` versions have some protections, passing untrusted input to a package manager remains a significant supply chain and command injection risk. Validate and sanitize the `model` parameter to ensure it only contains known, safe spaCy model names. Consider using a fixed set of allowed model names or implementing a more secure mechanism for model installation that does not rely on direct user input to `spacy.cli.download`. | Static | scripts/entity_extractor.py:50 | |
| MEDIUM | Unpinned Python dependency version Requirement 'spacy>=3.7.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | named-entity-extractor/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pandas>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | named-entity-extractor/scripts/requirements.txt:2 |
Scan History
Embed Code
[](https://skillshield.io/report/328ee1c27e0ebf93)
Powered by SkillShield