Trust Assessment
pdf received a trust score of 40/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 0 critical, 4 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via External Utilities, Excessive Filesystem Access via Script Arguments, Potential Data Exfiltration via Arbitrary File Reads.
The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. The static_code_analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via External Utilities The skill provides examples of using command-line utilities such as `pdftotext`, `qpdf`, `pdftk`, and `pdfimages`. If the AI agent constructs these commands by directly embedding unsanitized user input (e.g., filenames), a malicious user could inject arbitrary shell commands. For example, providing a filename like `my_doc.pdf; rm -rf /` could lead to severe system compromise. When constructing shell commands based on user input, strictly sanitize or escape all user-provided strings before embedding them into the command. Consider using a library that handles command execution safely, or explicitly whitelist allowed characters/patterns for filenames. | Unknown | SKILL.md:160 | |
| HIGH | Excessive Filesystem Access via Script Arguments Multiple Python scripts (`check_bounding_boxes.py`, `check_fillable_fields.py`, `convert_pdf_to_images.py`, `create_validation_image.py`, `extract_form_field_info.py`, `extract_form_structure.py`, `fill_fillable_fields.py`, `fill_pdf_form_with_annotations.py`) accept file paths directly from command-line arguments (`sys.argv`). If the AI agent invokes these scripts with user-controlled paths, it could be coerced into reading or writing to arbitrary locations on the filesystem, leading to data exfiltration, data corruption, or privilege escalation. Implement strict validation and sanitization for all file paths provided by the user. Restrict file operations to a designated, isolated working directory (e.g., a sandbox). Avoid allowing the agent to specify absolute paths or paths outside the designated working directory. Consider using a virtual filesystem or containerization for execution environments. | Unknown | scripts/check_bounding_boxes.py:60 | |
| HIGH | Potential Data Exfiltration via Arbitrary File Reads The Python scripts, by accepting arbitrary file paths as input (e.g., `input pdf`, `fields.json`), create a vector for data exfiltration. An attacker could instruct the AI agent to process a sensitive system file (e.g., `/etc/passwd`, configuration files, private keys) as if it were a PDF or JSON, potentially leading to its content being read and exposed. As with excessive permissions, restrict file access to a sandboxed environment. Validate file types and content before processing. Do not allow the agent to read files from arbitrary system paths. Implement logging and monitoring for file access patterns. | Unknown | scripts/check_fillable_fields.py:5 | |
| HIGH | Potential Data Overwrite/Creation via Arbitrary File Writes Several Python scripts (e.g., `convert_pdf_to_images.py`, `create_validation_image.py`, `extract_form_field_info.py`, `extract_form_structure.py`, `fill_fillable_fields.py`, `fill_pdf_form_with_annotations.py`) accept arbitrary output file or directory paths. This could allow an attacker to instruct the AI agent to overwrite critical system files, create malicious files in sensitive locations (e.g., web server directories), or exhaust disk space, leading to denial of service or system compromise. Restrict output file operations to a designated, isolated working directory. Do not allow the agent to specify absolute paths or paths outside the designated working directory. Implement strict validation for output paths and filenames. Ensure proper error handling and resource limits to prevent denial-of-service attacks. | Unknown | scripts/convert_pdf_to_images.py:17 |
Scan History
Embed Code
[](https://skillshield.io/report/fdd3aab670aa8593)
Powered by SkillShield