Security Audit

mrdulasolutions/exchekskills:exchek-classify

github.com/mrdulasolutions/exchekskills

AI SkillCommit c49adb39ac4c

CAUTION

Scanned 12 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

mrdulasolutions/exchekskills:exchek-classify received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Command Injection via Node.js script execution, Excessive File System Write Permissions.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.

Last analyzed on March 18, 2026 (commit c49adb39). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

93%

LLM Behavioral Safety

33%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

3 findings

Shell Execution

3 findings

Dynamic Code

2 findings

Excessive Permissions

3 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Command Injection via Node.js script execution The skill explicitly instructs the host LLM to execute a Node.js script (`node exchek-docx/scripts/report-to-docx.mjs`) with a file path as an argument. This file path is derived from user input (report folder, item name). If a malicious user can inject shell metacharacters (e.g., `;`, `&`, `\|`, `$()`) into the file path, it could lead to arbitrary command execution on the host system. The `report-to-docx.mjs` script directly uses `process.argv[2]` for the path, making it vulnerable if the calling environment (the LLM's shell execution) doesn't sanitize the argument. The LLM must strictly sanitize any user-influenced arguments passed to shell commands to prevent injection of metacharacters. A more secure approach would be to use a dedicated tool invocation mechanism that passes arguments as distinct parameters, or to pass the content via stdin, rather than constructing a shell command string with user-controlled input.	LLM	SKILL.md:50
HIGH	Excessive File System Write Permissions The skill instructs the LLM to ask the user for an arbitrary folder to save reports in and then to write `.docx` files to that location. It also instructs the LLM to create directories (`ExChek Reports`). This grants the skill broad write access to the user's filesystem, which, especially when combined with the command injection vulnerability, could be exploited to overwrite critical system files or place malicious executables. Limit the scope of file writing to a designated, sandboxed directory that is explicitly approved by the user and isolated from critical system areas. If arbitrary paths are necessary, ensure robust path validation and require explicit user confirmation for any non-standard locations or directory creation.	LLM	SKILL.md:46
HIGH	Excessive File System Read Permissions The skill instructs the LLM to read user-provided files (e.g., 'spec sheet, datasheet, or other document') to extract item descriptions and specifications. This implies the skill has read access to arbitrary files on the user's system if the user provides a path. This could lead to unauthorized access or exfiltration of sensitive user data if a malicious prompt or user input directs the LLM to read unintended files. Limit file read access to a designated, sandboxed directory or require explicit user confirmation for each file read, especially for files outside a predefined scope. Implement strict validation of file paths to prevent directory traversal attacks.	LLM	SKILL.md:99
MEDIUM	Unpinned npm dependency version Dependency 'docx' is not pinned to an exact version ('^9.6.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	exchek-classify/scripts/package.json
MEDIUM	Access to User Financial Data (Wallet Balance Check) The skill instructs the LLM to 'Check balance for the user's payment method (e.g. wallet/USDC on the network that matches the donation address)' as part of the donation process. This implies the LLM has the capability to access or query sensitive financial information (wallet balances). While not directly harvesting credentials like private keys, this capability could be concerning regarding user privacy and the scope of data the LLM is allowed to access. Clarify how 'checking balance' is performed. If it involves direct access to user wallets or financial APIs, this should be explicitly disclosed to the user and require strong, granular consent. Consider if this functionality is strictly necessary for the skill's primary purpose, or if a simpler 'provide address for manual donation' approach would suffice.	LLM	SKILL.md:214

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/1ce6850630c2a7c0.svg)](https://skillshield.io/report/1ce6850630c2a7c0)