Trust Assessment
hxxra received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 6 critical, 3 high, 2 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Credential harvesting, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/cxlhyx/hxxra/scripts/hxxra.py:438 | |
| CRITICAL | Arbitrary File Read/Write via Unsanitized User Input Paths The skill allows users to specify file paths for input and output operations (e.g., `output`, `from-file`, `dir`, `pdf`, `directory`). These paths are used directly in file system operations (`open()`, `os.makedirs()`, `os.listdir()`, `os.path.join()`) without proper sanitization or validation. An attacker can exploit this by providing paths like `/etc/passwd`, `../../sensitive_data.txt`, or `/dev/null` to read, write, or overwrite arbitrary files on the system, leading to data exfiltration, data corruption, or potential command injection if critical system files are overwritten. Implement robust path sanitization for all user-provided file paths. Use `os.path.abspath()` and `os.path.normpath()` to resolve paths, and then verify that the resolved path remains within an allowed base directory (e.g., a dedicated sandbox or temporary directory). Reject any paths that attempt directory traversal (e.g., contain `..`) or point to absolute system paths outside the allowed scope. | LLM | scripts/hxxra.py:307 | |
| CRITICAL | Arbitrary File Read/Write via Unsanitized User Input Paths The skill allows users to specify file paths for input and output operations (e.g., `output`, `from-file`, `dir`, `pdf`, `directory`). These paths are used directly in file system operations (`open()`, `os.makedirs()`, `os.listdir()`, `os.path.join()`) without proper sanitization or validation. An attacker can exploit this by providing paths like `/etc/passwd`, `../../sensitive_data.txt`, or `/dev/null` to read, write, or overwrite arbitrary files on the system, leading to data exfiltration, data corruption, or potential command injection if critical system files are overwritten. Implement robust path sanitization for all user-provided file paths. Use `os.path.abspath()` and `os.path.normpath()` to resolve paths, and then verify that the resolved path remains within an allowed base directory (e.g., a dedicated sandbox or temporary directory). Reject any paths that attempt directory traversal (e.g., contain `..`) or point to absolute system paths outside the allowed scope. | LLM | scripts/hxxra.py:349 | |
| CRITICAL | Arbitrary File Read/Write via Unsanitized User Input Paths The `download_pdf` function uses a user-controlled `download_dir` parameter directly in `os.path.join()` to construct the file path for saving downloaded PDFs. This allows an attacker to specify a directory traversal sequence (e.g., `../../`) or an absolute path, leading to arbitrary file writes outside the intended download directory. This can result in data exfiltration, data corruption, or command injection if critical system files are overwritten. Before using `download_dir`, sanitize it to prevent directory traversal. Ensure the resolved path is contained within a designated, secure download directory. For example, use `os.path.abspath()` and then check if the path starts with the absolute path of the allowed base directory. | LLM | scripts/hxxra.py:220 | |
| CRITICAL | Arbitrary File Read/Write via Unsanitized User Input Paths The skill allows users to specify file paths for input and output operations (e.g., `output`, `from-file`, `dir`, `pdf`, `directory`). These paths are used directly in file system operations (`open()`, `os.makedirs()`, `os.listdir()`, `os.path.join()`) without proper sanitization or validation. An attacker can exploit this by providing paths like `/etc/passwd`, `../../sensitive_data.txt`, or `/dev/null` to read, write, or overwrite arbitrary files on the system, leading to data exfiltration, data corruption, or potential command injection if critical system files are overwritten. Implement robust path sanitization for all user-provided file paths. Use `os.path.abspath()` and `os.path.normpath()` to resolve paths, and then verify that the resolved path remains within an allowed base directory (e.g., a dedicated sandbox or temporary directory). Reject any paths that attempt directory traversal (e.g., contain `..`) or point to absolute system paths outside the allowed scope. | LLM | scripts/hxxra.py:409 | |
| CRITICAL | Arbitrary File Read/Directory Listing via Unsanitized User Input Paths The `save` command takes a `from-file` parameter which is used directly in `os.path.isdir()` and `os.listdir()`, and subsequently in `open()` for reading. If `from-file` is a directory, `os.listdir()` will list its contents. If `from-file` is a file, `open()` will read it. An attacker can provide paths to sensitive system directories (e.g., `/etc`) to list their contents or to sensitive files (e.g., `/etc/passwd`) to read their content, leading to data exfiltration. Implement robust path sanitization for all user-provided file paths. Use `os.path.abspath()` and `os.path.normpath()` to resolve paths, and then verify that the resolved path remains within an allowed base directory (e.g., a dedicated sandbox or temporary directory). Reject any paths that attempt directory traversal (e.g., contain `..`) or point to absolute system paths outside the allowed scope. | LLM | scripts/hxxra.py:504 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/cxlhyx/hxxra/scripts/hxxra.py:438 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_pdf' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/cxlhyx/hxxra/scripts/hxxra.py:312 | |
| HIGH | Unpinned Dependencies in Skill Manifest The skill's documentation (`SKILL.md`) lists Python dependencies (`scholarly`, `pymupdf`, `pdfplumber`, `openai`) without specifying exact version numbers. This practice, known as unpinned dependencies, can lead to supply chain vulnerabilities. If a new version of any of these libraries introduces a security flaw, breaking change, or malicious code, the skill could automatically pull in the vulnerable version upon installation, compromising its security or stability. It also makes builds non-deterministic. Pin all dependencies to specific, known-good versions (e.g., `scholarly==1.2.3`). Use a `requirements.txt` file with exact versions or a `pyproject.toml` with locked dependencies. Regularly review and update these pinned versions to incorporate security patches while maintaining control over the dependency tree. | LLM | SKILL.md:20 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/cxlhyx/hxxra/SKILL.md:1 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/cxlhyx/hxxra/scripts/hxxra.py:10 |
Scan History
Embed Code
[](https://skillshield.io/report/611216c537563b6e)
Powered by SkillShield