Trust Assessment
ai-pdf-builder received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include LLM instructed to execute shell command `which`, User-controlled input passed to `npx` CLI tool, Skill requires direct filesystem write access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | LLM instructed to execute shell command `which` The 'Agent Instructions' explicitly direct the host LLM to execute the shell command `which pandoc` to check for a dependency. This demonstrates that the skill expects the LLM to have direct shell execution capabilities. While `which pandoc` is benign, this capability could be exploited by a malicious user prompt to execute arbitrary shell commands if the LLM's execution environment is not properly sandboxed or if the LLM is not robustly protected against prompt injection leading to command execution. Avoid instructing the LLM to directly execute shell commands. Instead, provide a dedicated tool for checking system dependencies, or instruct the LLM to ask the user to perform the check and report the output. If direct execution is unavoidable, ensure the LLM's execution environment is strictly sandboxed and commands are validated against an allow-list. | LLM | SKILL.md:118 | |
| MEDIUM | User-controlled input passed to `npx` CLI tool The skill instructs the LLM to invoke `npx ai-pdf-builder` with various user-controlled arguments, including file paths (e.g., `./content.md`, `./draft.md`) and free-form text prompts (e.g., "Write a whitepaper about decentralized identity", `--company "Acme Corp"`). If the underlying `ai-pdf-builder` CLI tool does not properly sanitize or escape these inputs before using them in internal shell commands or file operations, a malicious user could craft an input to achieve command injection (e.g., `npx ai-pdf-builder generate whitepaper "$(rm -rf /)"`). The skill itself facilitates passing this untrusted input to the tool. The `ai-pdf-builder` tool should implement robust input sanitization and validation for all user-provided arguments. For the LLM, consider using structured tool calls that pass arguments as distinct parameters rather than concatenating them into a single shell command string, or instruct the LLM to perform sanitization before invoking the CLI. | LLM | SKILL.md:68 | |
| LOW | Skill requires direct filesystem write access The TypeScript example demonstrates the skill's capability to write files directly to the filesystem using `fs.writeFileSync`. While this is necessary functionality for a PDF generation tool, it signifies that the skill operates with direct write access to the local filesystem. In an agentic context, this broad permission could be exploited if the agent is compromised, allowing it to write arbitrary files to arbitrary locations. Ensure the skill's execution environment is sandboxed with the principle of least privilege, restricting write access only to necessary directories. Implement strict validation on file paths and content to prevent writing to arbitrary locations or with malicious content. | LLM | SKILL.md:99 |
Scan History
Embed Code
[](https://skillshield.io/report/6267e0d6abdc5422)
Powered by SkillShield