Trust Assessment
ai-podcast-pipeline received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 22 findings: 9 critical, 10 high, 2 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings22
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jeong-wooseok/ai-podcast-pipeline/scripts/build_dualvoice_audio.py:21 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jeong-wooseok/ai-podcast-pipeline/scripts/build_korean_srt.py:16 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jeong-wooseok/ai-podcast-pipeline/scripts/build_podcast_assets.py:130 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jeong-wooseok/ai-podcast-pipeline/scripts/build_podcast_assets.py:212 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jeong-wooseok/ai-podcast-pipeline/scripts/gemini_multispeaker_tts.py:141 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jeong-wooseok/ai-podcast-pipeline/scripts/gemini_multispeaker_tts.py:148 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jeong-wooseok/ai-podcast-pipeline/scripts/render_subtitled_video.py:58 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jeong-wooseok/ai-podcast-pipeline/scripts/render_subtitled_video.py:156 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/jeong-wooseok/ai-podcast-pipeline/scripts/build_podcast_assets.py:121 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/jeong-wooseok/ai-podcast-pipeline/scripts/build_podcast_assets.py:121 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_cmd'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jeong-wooseok/ai-podcast-pipeline/scripts/build_dualvoice_audio.py:21 | |
| HIGH | Dangerous call: subprocess.check_output() Call to 'subprocess.check_output()' detected in function 'audio_duration_sec'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jeong-wooseok/ai-podcast-pipeline/scripts/build_korean_srt.py:16 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'generate_bg_with_skill'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jeong-wooseok/ai-podcast-pipeline/scripts/build_podcast_assets.py:130 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'encode_mp4_from_image'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jeong-wooseok/ai-podcast-pipeline/scripts/build_podcast_assets.py:212 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'to_wav_and_mp3'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jeong-wooseok/ai-podcast-pipeline/scripts/gemini_multispeaker_tts.py:141 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'to_wav_and_mp3'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jeong-wooseok/ai-podcast-pipeline/scripts/gemini_multispeaker_tts.py:148 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jeong-wooseok/ai-podcast-pipeline/scripts/render_subtitled_video.py:156 | |
| HIGH | Dangerous call: subprocess.check_output() Call to 'subprocess.check_output()' detected in function 'probe_duration'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jeong-wooseok/ai-podcast-pipeline/scripts/render_subtitled_video.py:58 | |
| HIGH | Data Exfiltration via Arbitrary File Read The `scripts/build_podcast_assets.py` script's `resolve_source` function allows reading arbitrary local files. If the user provides a direct file path (e.g., `--source /etc/passwd`) or a crafted URL that maps to a sensitive file within the `QUARTZ_ROOT` directory, the script will read the content of that file. This content is then processed by `extract_topics` and could potentially be exfiltrated through the generated YouTube metadata or other outputs. The `QUARTZ_ROOT` environment variable also allows an attacker to point the skill to a sensitive directory if they can control the environment. Restrict the `--source` argument to only allow paths within a designated, non-sensitive input directory (e.g., `SKILL_DIR / "input"`). Do not allow arbitrary file system paths. If URL mapping is necessary, ensure `QUARTZ_ROOT` is strictly controlled and does not contain sensitive data, or implement stricter path validation for `slug`. | LLM | scripts/build_podcast_assets.py:38 | |
| MEDIUM | Suspicious import: urllib Import of 'urllib' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/jeong-wooseok/ai-podcast-pipeline/scripts/gemini_multispeaker_tts.py:19 | |
| MEDIUM | Command Injection via Unsanitized Font Name in FFmpeg Filter The `scripts/render_subtitled_video.py` script constructs an `ffmpeg` video filter string (`vf`) that includes the user-provided `--font-name` argument directly. While `ffmpeg`'s `subtitles` filter is designed to handle font names, a specially crafted `font-name` could potentially break out of the `FontName` parameter or exploit a vulnerability in `ffmpeg`'s filter parsing, leading to command injection or unexpected behavior. Although `ff_escape` is used for paths, it is not applied to `font-name` within the `style` string, making it vulnerable to injection. Implement strict validation for `args.font_name` to ensure it only contains alphanumeric characters and allowed symbols, or use a whitelist of approved font names. Avoid direct concatenation of untrusted input into command strings without robust escaping or validation. | LLM | scripts/render_subtitled_video.py:120 | |
| LOW | Excessive Permissions / Supply Chain Risk via Arbitrary Fonts Directory The `scripts/render_subtitled_video.py` script allows the user to specify an arbitrary `--fonts-dir` path, which is then passed to `ffmpeg`'s `subtitles` filter. While `ff_escape` is used, allowing an arbitrary directory for loading fonts could introduce a supply chain risk if an attacker can control the content of that directory (e.g., by placing malicious font files that could exploit font rendering vulnerabilities in `ffmpeg` or the underlying font libraries). It also grants `ffmpeg` read access to any specified directory, potentially exposing sensitive files. Restrict `--fonts-dir` to a known, trusted directory within the skill's controlled environment, or provide a curated list of allowed font directories. | LLM | scripts/render_subtitled_video.py:124 |
Scan History
Embed Code
[](https://skillshield.io/report/3debaac3ba640bd9)
Powered by SkillShield