Trust Assessment
dwg-to-excel received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary Command Execution via External Exporter Path, Broad Filesystem Access for Batch Conversion.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via External Exporter Path The `DWGExporter` class allows specifying the path to the `DwgExporter.exe` executable via the `exporter_path` constructor argument. If an untrusted input can control this argument, an attacker could point to an arbitrary malicious executable, leading to arbitrary command execution on the host system. While `subprocess.run` is used safely with a list of arguments (mitigating shell injection from file paths), the `exporter_path` itself is directly executed. Ensure that the `exporter_path` argument is never derived from untrusted user input. If user configuration is necessary, validate the path against a whitelist of allowed executables or directories, or ensure it points to a known, trusted binary. | LLM | SKILL.md:111 | |
| HIGH | Broad Filesystem Access for Batch Conversion The `batch_convert` method accepts a `folder` argument and, if `include_subfolders` is true, uses `Path.glob("**/*.dwg")` to recursively scan for DWG files. If an untrusted input can specify a broad or sensitive folder path (e.g., root directory), this could lead to excessive filesystem scanning, potential denial-of-service due to resource exhaustion, or unintended exposure of file paths. Restrict the `folder` argument to specific, sandboxed directories. Implement path validation to prevent traversal attacks (e.g., `../`). Consider adding limits to the number of files processed or the depth of recursion. | LLM | SKILL.md:140 | |
| HIGH | Reliance on Unmanaged External Binary The skill's core functionality is entirely dependent on an external, proprietary executable, `DwgExporter.exe`, which is not included or managed within the skill package. The security and integrity of the entire conversion process are contingent upon the trustworthiness and security of this external binary. A compromised or malicious `DwgExporter.exe` could lead to severe security breaches, including data manipulation or exfiltration, without the skill's Python code being directly at fault. Include `DwgExporter.exe` within the skill package, if legally and practically feasible, and ensure its integrity through hashing or digital signatures. Alternatively, provide clear instructions and warnings about the external dependency and its security implications, advising users to obtain it from trusted sources and verify its authenticity. | LLM | SKILL.md:109 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/dwg-to-excel/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/1721319fe820f42a)
Powered by SkillShield