Security Audit

mrdulasolutions/exchekskills:exchek-jurisdiction

github.com/mrdulasolutions/exchekskills

AI SkillCommit c49adb39ac4c

CAUTION

Scanned 12 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

mrdulasolutions/exchekskills:exchek-jurisdiction received a trust score of 59/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 1 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Arbitrary File Read and Data Exfiltration via Script Argument.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.

Last analyzed on March 18, 2026 (commit c49adb39). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

91%

LLM Behavioral Safety

68%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings4

Severity	Finding	Layer	Location
CRITICAL	Arbitrary File Read and Data Exfiltration via Script Argument The skill instructs the LLM to execute a local script (`node exchek-docx/scripts/report-to-docx.mjs`) with a file path (`<full-path-to-temp.md>`) as an argument. This file path is generated by the LLM, potentially influenced by user input (e.g., 'Ask where to save the jurisdiction memo'). The `report-to-docx.mjs` script then uses `readFileSync` on this path. If a malicious user can inject a path like `../../../../etc/passwd` or `/proc/self/environ` into the argument passed to the script, the script will read the content of that sensitive file. The skill then explicitly states: 'If the Document Converter is not available, or you cannot write files: output the full memo in chat and instruct the user to save it.' This creates a direct channel for exfiltrating the content of arbitrary files read by the script back to the user via the LLM's chat output. 1. Sanitize/Validate File Paths: Implement strict validation and sanitization for any file paths derived from user input or LLM-generated paths that are influenced by user input. Paths should be restricted to a specific, non-sensitive directory (e.g., a temporary sandbox folder) and should not allow directory traversal (`..`). 2. Isolate Script Execution: Run the `report-to-docx.mjs` script in a sandboxed environment with minimal permissions, restricting its access to only the necessary temporary files and output directories. 3. Review LLM Path Generation: Ensure the LLM's logic for generating `<full-path-to-temp.md>` is robust against prompt injection attempts that try to manipulate the path. 4. Prevent Exfiltration of Raw File Content: If the script fails to write the `.docx`, the LLM should not output the raw content of the memo (which could be the content of a sensitive file) directly to chat. Instead, it should report an error or provide a generic message without revealing potentially sensitive data.	LLM	SKILL.md:48
MEDIUM	Unpinned npm dependency version Dependency 'docx' is not pinned to an exact version ('^9.6.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	exchek-jurisdiction/scripts/package.json
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	exchek-jurisdiction/scripts/package.json
LOW	Unpinned Dependency in `package.json` The `scripts/package.json` file specifies the `docx` dependency with a caret range (`^9.6.1`). This allows `npm` to install any version compatible with `9.6.1` (i.e., `9.x.x`). While common, this introduces a minor supply chain risk as a malicious update within the `9.x.x` range could be automatically installed without explicit review, potentially introducing vulnerabilities. Pin dependencies to exact versions (e.g., `"docx": "9.6.1"`) to ensure deterministic builds and prevent unexpected updates. Use a `package-lock.json` or similar lock file to ensure consistent dependency resolution across environments.	LLM	scripts/package.json:9

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/c51580f8f7aa52f9.svg)](https://skillshield.io/report/c51580f8f7aa52f9)