Security Audit

dkyazzentwatwa/chatgpt-skills:password-generator

github.com/dkyazzentwatwa/chatgpt-skills

AI SkillCommit d4bad33523ff

TRUSTED

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

dkyazzentwatwa/chatgpt-skills:password-generator received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary File Write via Output Functionality.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 24, 2026 (commit d4bad335). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Arbitrary File Write via Output Functionality The skill's `generate_to_csv` method and the command-line interface's `--output` argument allow the user to specify an arbitrary file path for writing generated passwords or passphrases. This means the skill can be instructed to write to any location on the filesystem where the agent has write permissions. An attacker could exploit this to overwrite critical system files (e.g., `/etc/passwd`, configuration files), user data, or other sensitive files, leading to denial of service, data corruption, or potentially privilege escalation if combined with other vulnerabilities. While the content written is generated passwords, the ability to write to an arbitrary path is a significant security risk. Restrict file writing to a designated, sandboxed directory (e.g., a temporary directory or a specific output folder). Implement robust path validation to prevent directory traversal attacks (e.g., disallow `../` in the filename). Consider returning the generated passwords directly to the calling agent instead of writing to a file, if file persistence is not strictly necessary for the skill's core function. If file writing is essential, ensure the user explicitly confirms the output path or that the path is strictly controlled by the agent environment.	LLM	scripts/password_gen.py:300

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/47ee3bc18ca15696.svg)](https://skillshield.io/report/47ee3bc18ca15696)