Trust Assessment
compose-gen received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, User input directly injected into LLM prompt, Arbitrary file write via unsanitized output path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | User input directly injected into LLM prompt The `generateCompose` function constructs the user message for the OpenAI API by directly interpolating user-controlled input from `files` (derived from the `--dir` option) and `extra` (from the `--add` option). An attacker can craft malicious input for `--add` or by creating specific file names in a controlled directory to inject instructions into the LLM prompt, potentially overriding the system prompt, extracting sensitive information, or causing the LLM to generate harmful content. Sanitize or escape user input before including it in the LLM prompt. Consider using a structured input format (e.g., JSON) for LLM calls instead of direct string interpolation, or implement a robust input validation and sanitization layer. For `files`, ensure only expected file names are included and path traversal is prevented during scanning. | LLM | src/index.ts:35 | |
| HIGH | Arbitrary file write via unsanitized output path The `ai-docker-compose` CLI tool uses `fs.writeFileSync` to write the generated `docker-compose.yml` to a file specified by the `--output` (`-o`) command-line option. This option's value (`opts.output`) is used directly without sanitization. An attacker can provide a path traversal sequence (e.g., `../../../../tmp/malicious.yml`) to write the generated content to an arbitrary location on the file system, potentially overwriting critical system files or placing malicious configuration files in sensitive directories. Sanitize the `opts.output` path to prevent path traversal. Ensure the path is within an allowed directory or normalize it to prevent directory climbing. For example, use `path.resolve` and check if the resolved path is within the intended output directory. | LLM | src/cli.ts:30 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^12.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/lxgicstudios/docker-compose-gen/package.json | |
| MEDIUM | File existence probing and disclosure to LLM via unsanitized directory input The `scanProject` function takes a user-controlled directory path (`opts.dir`) and uses `fs.existsSync(path.join(dir, m))` to check for the presence of specific marker files. While `path.join` mitigates some simple path traversal, a sophisticated attacker might still be able to craft `opts.dir` to probe for the existence of arbitrary files outside the intended project directory. The names of any found marker files are then included in the LLM prompt, effectively exfiltrating information about the file system structure to the OpenAI API. Validate and sanitize the `dir` argument to ensure it points to a legitimate project directory and does not contain path traversal sequences. Restrict the `scanProject` function to operate only within a designated, sandboxed project root. | LLM | src/index.ts:23 | |
| LOW | Dependencies use caret ranges, allowing minor/patch updates The `package.json` file specifies dependencies using caret (`^`) version ranges (e.g., `openai: ^4.73.0`). While `package-lock.json` pins exact versions, using caret ranges in `package.json` means that `npm install` (especially without an existing `package-lock.json` or with certain flags) could install newer minor or patch versions. This introduces a slight supply chain risk, as a malicious update in a dependency's minor or patch release could be automatically pulled in. Consider using exact version pinning (e.g., `openai: "4.73.0"`) or tilde (`~`) ranges for production dependencies to ensure deterministic builds and reduce the risk of unexpected changes or malicious updates. Regularly audit dependencies for vulnerabilities. | LLM | package.json:9 |
Scan History
Embed Code
[](https://skillshield.io/report/edeec4b6aea7ad2c)
Powered by SkillShield