Trust Assessment
convert-to-pdf received a trust score of 42/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 0 critical, 3 high, 2 medium, and 1 low severity. Key findings include Suspicious import: requests, Potential data exfiltration: file read + network send, Unpinned Python dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential data exfiltration: file read + network send Function 'create_job' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/crossservicesolutions/convert-to-pdf/scripts/convert-to-pdf.py:62 | |
| HIGH | Arbitrary file read via user-controlled path argument The script `scripts/convert-to-pdf.py` opens files specified by the `--file` command-line argument (line 61: `f = open(p, "rb")`). If an attacker can control this argument (e.g., through a prompt injection instructing the agent to call the skill with a crafted path like `/etc/passwd`), they can read arbitrary files from the agent's filesystem. The skill declares `files` permission, enabling this vulnerability. Implement strict validation and sanitization of file paths provided by user input. If the skill is intended to only process files uploaded by the user, ensure the paths refer to a secure, isolated temporary directory. Do not allow arbitrary paths from user input. | LLM | scripts/convert-to-pdf.py:61 | |
| HIGH | User-controlled API base URL allows data exfiltration The script `scripts/convert-to-pdf.py` allows the API base URL to be overridden by the `--base-url` command-line argument (line 201: `parser.add_argument("--base-url", help="Base URL for the Solutions API.")`). If an attacker can control this argument, they can direct the file upload (intended for `api.xss-cross-service-solutions.com`) to an arbitrary server under their control, leading to data exfiltration of the user's input files. Remove the `--base-url` command-line argument. The base URL should be hardcoded or configured securely by the skill developer, not exposed to user input. If flexibility is needed, it should be restricted to a whitelist of trusted endpoints. | LLM | scripts/convert-to-pdf.py:201 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/crossservicesolutions/convert-to-pdf/scripts/convert-to-pdf.py:27 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.32.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/crossservicesolutions/convert-to-pdf/requirements.txt:1 | |
| LOW | Unpinned dependency in requirements.txt The `requirements.txt` file specifies `requests>=2.32.0`. This uses a minimum version rather than a pinned exact version or a specific major/minor version range. While `requests` is a widely used library, unpinned dependencies can introduce supply chain risks if a future version introduces a vulnerability, breaking change, or is compromised. Pin dependencies to exact versions (e.g., `requests==2.32.3`) or use a more restrictive range (e.g., `requests~=2.32.0`) to ensure reproducibility and prevent unexpected updates. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/e1894207b9d40fc0)
Powered by SkillShield