Trust Assessment
repo received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 8 critical, 11 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Missing required field: name, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on May 1, 2026 (commit 738a4641). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | gateway/main.py:26 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | gateway/main.py:225 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | gateway/main.py:250 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | gateway/main.py:370 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | gateway/main.py:676 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tts-server/server.py:234 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tts-server/server.py:283 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tts-server/server.py:286 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_check_ffmpeg'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | gateway/main.py:26 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'concatenate_audio_ffmpeg'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | gateway/main.py:225 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ingest_voice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | gateway/main.py:676 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'concatenate_audio_ffmpeg'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | gateway/main.py:250 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_pad_silence'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | gateway/main.py:370 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'audio_to_bytes'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tts-server/server.py:234 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'health'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tts-server/server.py:283 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'health'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tts-server/server.py:286 | |
| HIGH | Path Traversal vulnerability in file download endpoint The `/files/{file_id}` endpoint allows users to download generated audio files. The current path validation `if not file_path.startswith(STORAGE_DIR):` is insufficient to prevent path traversal attacks. An attacker can craft a `file_id` like `../etc/passwd` or `../../../../etc/passwd`. When `os.path.join(STORAGE_DIR, file_id)` is used, it creates a path like `/app/output/../etc/passwd`. The `startswith` check will pass, but `os.path.abspath()` or `os.path.normpath()` would resolve this to `/etc/passwd`, allowing the attacker to read arbitrary files outside the intended `STORAGE_DIR`. After joining `STORAGE_DIR` and `file_id`, normalize the resulting path using `os.path.abspath()` or `os.path.normpath()`. Then, verify that the normalized path still starts with the normalized `STORAGE_DIR`. For example: ```python abs_storage_dir = os.path.abspath(STORAGE_DIR) file_path = os.path.join(STORAGE_DIR, file_id) abs_file_path = os.path.abspath(file_path) if not abs_file_path.startswith(abs_storage_dir): logger.warning(f"Path traversal attempt detected: {file_id}") raise HTTPException(status_code=400, detail="Invalid file path") ``` | Static | gateway/main.py:319 | |
| HIGH | Unauthenticated API for dynamic backend configuration leading to SSRF The `/channels` endpoint allows anyone to register or modify voice backend configurations without any authentication. This allows an unauthenticated attacker to inject arbitrary URLs for backend services. The `_call_tts_backend` function then uses these configured URLs to make HTTP POST requests. An attacker can register a malicious internal URL (e.g., `http://localhost:8080/admin`) and then trigger a TTS request using the registered voice, causing the gateway to make a request to the internal service. This Server-Side Request Forgery (SSRF) can be used to scan internal networks, access internal services, or exfiltrate data. Implement robust authentication and authorization for the `/channels` endpoint to ensure only trusted administrators can modify backend configurations. Additionally, implement strict URL validation for `backend_url` to prevent requests to internal networks (e.g., block private IP ranges, loopback addresses) even if authentication is bypassed or misconfigured. | Static | gateway/main.py:294 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 8 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/e281044939bf79eb)
Powered by SkillShield