Trust Assessment
audio-gen received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Sensitive path access: AI agent config, Potential Command Injection via formatted_script, Potential Command Injection via formatted_script (Heredoc).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via formatted_script The skill constructs a shell command using `uv run` and directly embeds the `[formatted_script]` variable within double quotes. If the `[formatted_script]` contains user-controlled input (which it does, as it's based on user requests), a malicious user could inject arbitrary shell commands by crafting specific text that includes shell metacharacters (e.g., backticks, dollar signs for command substitution, semicolons, etc.). This could lead to remote code execution on the host system. Avoid direct shell execution with unsanitized, user-controlled input. If shell execution is necessary, use a library or function that properly escapes or sanitizes all user-provided arguments. Alternatively, pass arguments as a list to a subprocess call (e.g., `subprocess.run(['uv', 'run', ... , formatted_script])`) which prevents shell interpretation of arguments. Ensure the `tts.py` script itself is robust against malicious input if it further processes the script content. | LLM | skills/udiedrichsen/audio-gen/SKILL.md:154 | |
| CRITICAL | Potential Command Injection via formatted_script (Heredoc) Similar to the direct argument, the heredoc approach for long scripts also embeds `[formatted_script]` directly into a shell command. While heredocs can sometimes offer protection, the `$(cat <<'EOF' ... )` construct means the content is still processed by the shell. If `[formatted_script]` contains shell metacharacters or sequences that can break out of the heredoc or be interpreted by the shell before being passed to `tts.py`, it could lead to arbitrary command execution. The single quotes around `EOF` prevent variable expansion within the heredoc, but the entire construct is still part of a larger shell command that processes `[formatted_script]` as part of its input. Avoid direct shell execution with unsanitized, user-controlled input. If shell execution is necessary, use a library or function that properly escapes or sanitizes all user-provided arguments. A safer approach is to write the `formatted_script` content to a temporary file and then pass the file path to `tts.py`, or use a subprocess call with arguments passed as a list, preventing shell interpretation. | LLM | skills/udiedrichsen/audio-gen/SKILL.md:163 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/udiedrichsen/audio-gen/SKILL.md:296 | |
| MEDIUM | Data Exfiltration Risk via /tmp directory The skill explicitly states that audio files are saved to `/tmp/audio-gen/` and are cleaned up after 24 hours. While `/tmp` is a standard location for temporary files, it's often world-readable or accessible by other processes on the system. If sensitive information were to be included in the generated audio (e.g., user's private data, internal system details), there's a risk that another process or a malicious actor with local access could read these temporary files before they are cleaned up. The `[topic-slug]` in the filename could also inadvertently expose information about the content. If possible, use a more restricted temporary directory or ensure that the permissions on `/tmp/audio-gen/` are set to be accessible only by the skill's user. If the content is highly sensitive, consider encrypting the temporary files or using in-memory storage if feasible. Ensure `[topic-slug]` is sufficiently sanitized to prevent path traversal or information leakage. | LLM | skills/udiedrichsen/audio-gen/SKILL.md:199 |
Scan History
Embed Code
[](https://skillshield.io/report/5a90ea39dcc400f3)
Powered by SkillShield