Trust Assessment
batch-convert received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Command Injection via External Tools, Excessive File System Permissions with User-Controlled Paths, Potential Data Exfiltration via Arbitrary File Read/Write.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via External Tools The skill uses `subprocess.run` to execute external tools (`pandoc`, `marp`, `soffice`) with user-controlled input paths and output paths. Although `subprocess.run` is used with a list of arguments (which is safer than `shell=True`), these external tools can interpret arguments within the provided file paths. An attacker could craft malicious filenames or directory names (e.g., containing `--option value` or command substitution like `$(command)`) that are then passed to the external command, leading to arbitrary command execution or unintended behavior. Sanitize all user-controlled input and output paths before passing them to `subprocess.run` or external tools. Implement strict validation to ensure paths only contain allowed characters and do not start with or contain characters that could be interpreted as command-line options (e.g., `-`). Consider using a dedicated library for path sanitization or wrapping external calls in a more secure manner, potentially by creating temporary files with guaranteed safe names and copying content. | LLM | SKILL.md:70 | |
| HIGH | Excessive File System Permissions with User-Controlled Paths The skill is granted `file_operations` and `code_execution` permissions. The `batch_convert` function allows users to specify `input_dir`, `output_dir`, and `file_pattern`. This broad access, combined with user-controlled paths, enables the skill to read from and write to arbitrary locations on the file system. An attacker could specify sensitive system directories as `input_dir` (e.g., `/etc`, `/root`) to read files, or as `output_dir` to write converted files into critical system locations, potentially overwriting existing files or introducing malicious content. Restrict file system access to specific, sandboxed directories. Implement strict path validation to ensure `input_dir` and `output_dir` are within an allowed scope (e.g., a dedicated workspace directory for the skill). Avoid allowing arbitrary `file_pattern` values; instead, define a whitelist of allowed file extensions or patterns. If `code_execution` is strictly necessary, ensure all executed commands and their arguments are thoroughly sanitized and validated. | LLM | SKILL.md:49 | |
| HIGH | Potential Data Exfiltration via Arbitrary File Read/Write Due to the excessive file system permissions and user-controlled `input_dir`, `output_dir`, and `file_pattern`, an attacker could instruct the skill to read sensitive files from the system (e.g., `/etc/passwd`, configuration files, environment variables if accessible via file system) and then convert them into a readable format (e.g., Markdown, HTML). If the `output_dir` is also controlled by the attacker, the converted sensitive data could be written to an accessible location, facilitating data exfiltration. The `markitdown` library, used for various conversions, reads file content and writes it to a user-specified output path, directly contributing to this risk. Implement robust access control and sandboxing for file operations. Ensure that the skill can only access files and directories explicitly permitted and necessary for its function. Validate all file paths and patterns against a whitelist of allowed locations and types. Any output containing converted data should be handled securely, ideally returned directly to the user or stored in a temporary, isolated location, rather than an arbitrary user-specified path. | LLM | SKILL.md:49 | |
| MEDIUM | Unpinned Dependencies in Installation Instructions The 'Installation' section lists Python dependencies (`pdf2docx`, `markitdown`, `python-docx`, `openpyxl`) without specifying exact version numbers. This practice, known as unpinned dependencies, can introduce supply chain risks. If a future version of any dependency contains a vulnerability or malicious code, or if a dependency's API changes unexpectedly, it could compromise the skill or lead to runtime errors. This also makes builds non-deterministic. Pin all dependencies to exact versions (e.g., `pdf2docx==0.1.3`). Use a `requirements.txt` file with pinned versions to ensure deterministic and secure installations. Regularly review and update dependencies to incorporate security patches while maintaining version control. | LLM | SKILL.md:286 |
Scan History
Embed Code
[](https://skillshield.io/report/affe73e8256921b8)
Powered by SkillShield