Trust Assessment
ai-proposal-generator received a trust score of 90/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via PDF Export.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via PDF Export The skill description mentions an 'export pdf' command and the capability to 'Convert HTML to PDF'. If the HTML content, which can be influenced by user input (e.g., meeting notes, custom templates, user edits), is passed to an external PDF conversion utility (e.g., wkhtmltopdf, puppeteer) without proper sanitization, it could allow an attacker to inject arbitrary shell commands. This is a common attack vector for features that convert user-controlled content to other formats via external processes. Ensure all user-controlled input, including generated HTML content, is thoroughly sanitized and escaped before being passed to any external command-line tools or subprocesses for PDF conversion. Consider using libraries that render HTML to PDF internally without invoking external shell commands, or strictly whitelist allowed HTML tags and attributes to prevent malicious script injection. | LLM | SKILL.md:150 |
Scan History
Embed Code
[](https://skillshield.io/report/a85efb81abfb6311)
Powered by SkillShield