Security Audit
mrdulasolutions/exchekskills:exchek-recordkeeping
github.com/mrdulasolutions/exchekskillsTrust Assessment
mrdulasolutions/exchekskills:exchek-recordkeeping received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 1 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Command Injection via LLM-generated file path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 53/100, indicating areas for improvement.
Last analyzed on March 18, 2026 (commit c49adb39). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via LLM-generated file path The skill explicitly instructs the host LLM to execute a shell command: `node exchek-docx/scripts/report-to-docx.mjs <full-path-to-temp.md>`. The `<full-path-to-temp.md>` argument is generated by the LLM based on its internal state and potentially user input. If the LLM is prompted to include shell metacharacters (e.g., `"; rm -rf /"`) in this path, and the environment executing the `node` command does not properly quote or escape the argument, it could lead to arbitrary command execution on the host system. The host environment must ensure that all arguments passed to shell commands are properly quoted and escaped. Alternatively, the skill should use a safer API for file conversion that does not involve direct shell execution with LLM-generated arguments, or strictly validate the generated file path before execution. | LLM | SKILL.md:56 | |
| HIGH | Arbitrary File Read via Path Traversal in LLM-generated argument The `SKILL.md` instructs the LLM to execute `node exchek-docx/scripts/report-to-docx.mjs <full-path-to-temp.md>`. The `report-to-docx.mjs` script takes this path as `process.argv[2]` and resolves it using `resolve(process.cwd(), mdPath)`. It then attempts to read the file's content using `fs.readFileSync(resolved, "utf8")`. If the LLM is prompted to generate a path containing path traversal sequences (e.g., `../../../../etc/passwd`) for `<full-path-to-temp.md>`, the script will attempt to read the content of an arbitrary file on the system. This vulnerability is enabled by the command injection risk and could lead to sensitive data disclosure. Implement strict validation and sanitization of the file path argument before passing it to the `node` script. Ensure the LLM is constrained to generate paths only within a designated, isolated temporary directory. The `report-to-docx.mjs` script should also validate that the resolved path is strictly within an allowed, sandboxed directory. | LLM | scripts/report-to-docx.mjs:179 | |
| MEDIUM | Unpinned npm dependency version Dependency 'docx' is not pinned to an exact version ('^9.6.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | exchek-recordkeeping/scripts/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | exchek-recordkeeping/scripts/package.json | |
| LOW | Unpinned dependency in package.json The `docx` dependency in `scripts/package.json` uses a caret (`^`) version specifier (`"^9.6.1"`). This allows for automatic updates to new minor and patch versions (e.g., `9.7.0`, `9.6.2`). While common, it introduces a supply chain risk where a malicious update to the `docx` package within the `9.x.x` range could be automatically pulled in, potentially compromising the skill. Pin the `docx` dependency to an exact version (e.g., `"docx": "9.6.1"`) to ensure deterministic builds and prevent unexpected or malicious updates. Regularly audit and manually update dependencies. | LLM | scripts/package.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/9188bd0e818f3e5f)
Powered by SkillShield