Trust Assessment
make-pdf received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 95 findings: 43 critical, 48 high, 3 medium, and 0 low severity. Key findings include Covert behavior / concealment directives, File read + network send exfiltration, Dangerous tool allowed: Bash.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on April 29, 2026 (commit e8893a18). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings95
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:7 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:13 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:17 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:21 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:26 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:32 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:35 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:43 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:44 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:50 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:56 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:61 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:66 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:77 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:78 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:94 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:96 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:101 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:102 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:115 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:142 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:152 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:153 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:170 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:171 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:216 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:232 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:234 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:240 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:258 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:259 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:322 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:323 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:368 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:387 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:393 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:394 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/SKILL.md:404 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/src/browseClient.ts:13 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/src/browseClient.ts:104 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | make-pdf/src/setup.ts:45 | |
| CRITICAL | Command Injection via 'eval' of external binary output The skill uses 'eval' on the output of the 'gstack-slug' binary. If an attacker can control the output of 'gstack-slug' (e.g., by compromising the binary itself or manipulating its execution environment), they can inject and execute arbitrary shell commands on the host system. This is a direct and highly dangerous form of command injection. Avoid using 'eval' with untrusted or potentially manipulable external command output. If the output is intended to set environment variables, parse it safely or use a more controlled mechanism. Ensure the 'gstack-slug' binary and its execution path are secured and cannot be tampered with. | LLM | SKILL.md:60 | |
| CRITICAL | Command Injection via 'source' of external binary output The skill uses 'source' (or '.') to execute commands from the output of the 'gstack-repo-mode' binary. Similar to 'eval', if an attacker can control the output of 'gstack-repo-mode', they can inject and execute arbitrary shell commands on the host system. Avoid using 'source' with untrusted or potentially manipulable external command output. If the output is intended to set environment variables, parse it safely or use a more controlled mechanism. Ensure the 'gstack-repo-mode' binary and its execution path are secured and cannot be tampered with. | LLM | SKILL.md:40 | |
| HIGH | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | make-pdf/SKILL.md:460 | |
| HIGH | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | make-pdf/SKILL.md:495 | |
| HIGH | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | make-pdf/SKILL.md:498 | |
| HIGH | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | make-pdf/SKILL.md:514 | |
| HIGH | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | make-pdf/SKILL.md:517 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | make-pdf/SKILL.md:1 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:7 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:13 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:17 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:21 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:26 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:32 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:35 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:43 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:44 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:50 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:56 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:61 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:66 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:77 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:78 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:94 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:96 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:101 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:102 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:115 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:142 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:152 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:153 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:170 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:171 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:216 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:232 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:234 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:240 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:258 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:259 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:322 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:323 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:368 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:387 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:393 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:394 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | make-pdf/SKILL.md:404 | |
| HIGH | Data Exfiltration: Repository name logged despite privacy policy The skill's telemetry logging explicitly states 'No code, file paths, or repo names.' will be shared. However, the code logs the repository name using `basename "$(git rev-parse --show-toplevel 2>/dev/null)"`. This directly contradicts the stated privacy policy and constitutes an unauthorized data exfiltration of potentially sensitive repository information. Remove the `"repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}` part from the telemetry log payload to align with the stated privacy policy. Ensure all data collection adheres strictly to declared policies. | LLM | SKILL.md:49 | |
| HIGH | Command Injection via 'eval' of external binary output (second instance) Another instance of 'eval' on the output of 'gstack-slug' is found. This reinforces the critical command injection vulnerability, as it provides another entry point for an attacker to execute arbitrary shell commands if they can control the output of 'gstack-slug'. Avoid using 'eval' with untrusted or potentially manipulable external command output. If the output is intended to set environment variables, parse it safely or use a more controlled mechanism. Ensure the 'gstack-slug' binary and its execution path are secured and cannot be tampered with. | LLM | SKILL.md:169 | |
| HIGH | Command Injection via alias and export of user-controlled path The `MAKE_PDF_BIN` environment variable, which can be user-controlled, is used to set the `P` variable. This `P` variable is then used to create a shell alias `_p_="$P"` and is exported. If `MAKE_PDF_BIN` contains shell metacharacters (e.g., `/path/to/evil; rm -rf /`), the alias or subsequent commands using the exported `P` could lead to arbitrary command execution. Sanitize or validate the `MAKE_PDF_BIN` environment variable to ensure it contains only a valid, safe file path. Avoid using `eval` or `source` with `$P` in subsequent commands. When setting aliases or exporting variables that originate from user input, ensure proper quoting and escaping to prevent shell metacharacter injection. | LLM | SKILL.md:290 | |
| HIGH | Path Traversal in file read/write operations The `generate` function in `src/orchestrator.ts` directly uses `opts.input` and `opts.output` (derived from CLI arguments) in `fs.readFileSync` and `path.resolve`. An attacker could provide paths containing `../` sequences (e.g., `../../../../etc/passwd`) to read arbitrary files from the system or write to arbitrary locations, leading to information disclosure or data corruption. Implement strict path validation to ensure that `opts.input` and `opts.output` refer only to files within an allowed, sandboxed directory. Use a library or custom logic to normalize paths and reject any that attempt to traverse outside the designated base directory. | LLM | src/orchestrator.ts:60 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | make-pdf/SKILL.md:51 | |
| MEDIUM | Command Injection via 'spawn' with user-controlled path The `preview` function in `src/orchestrator.ts` uses `spawn("open", [outputPath])` to open the generated HTML file. While `spawn` with an array of arguments is generally safer than `exec`, the `open` command is OS-dependent. If `outputPath` contains shell metacharacters and the underlying `open` command on the host system interprets its arguments as a shell command, it could lead to command injection. Additionally, if `outputPath` could be manipulated to point to a malicious executable file type (e.g., a `.bat` or `.sh` file), the OS might execute it. Ensure `outputPath` is strictly validated to be a safe file path and does not contain any shell metacharacters. Consider using a more explicit and sandboxed method for opening files if available, or ensure the `open` command is configured to not execute arbitrary commands based on file content or name. | LLM | src/orchestrator.ts:130 | |
| MEDIUM | Command Injection risk in pdftotext execution The `pdftotext` function in `src/pdftotext.ts` executes the `pdftotext` binary using `execFileSync(info.bin, args)`. The `pdfPath` argument is derived from `opts.output` in `orchestrator.ts`, which originates from user input. If `pdfPath` contains shell metacharacters and `execFileSync` or the `pdftotext` utility itself has an argument injection vulnerability, it could lead to arbitrary command execution. Ensure `pdfPath` is strictly validated and sanitized to prevent shell metacharacter injection. While `execFileSync` with an array of arguments is generally safe, it's a good practice to validate all external inputs used in command execution. | LLM | src/pdftotext.ts:109 | |
| INFO | Custom HTML Sanitizer (potential XSS bypasses) The `sanitizeUntrustedHtml` function uses a custom regex-based approach to strip dangerous HTML elements and attributes. While it targets common XSS vectors, regex-based HTML sanitizers are notoriously difficult to get perfectly right and can be prone to bypasses. A more robust, battle-tested HTML sanitization library (like DOMPurify, as mentioned in comments) is generally recommended for defense-in-depth, even when outputting to a sandboxed browser environment. Consider replacing the custom regex-based sanitizer with a well-maintained and security-audited HTML sanitization library. If a custom sanitizer must be used, ensure it is thoroughly tested against known XSS bypass techniques and regularly updated. | LLM | src/render.ts:100 |
Scan History
Embed Code
[](https://skillshield.io/report/e802272e079312a0)
Powered by SkillShield