Trust Assessment
invoice-generator received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Command Injection via INVOICE_DIR environment variable, Arbitrary file read leading to data exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via INVOICE_DIR environment variable The `INVOICE_DIR` environment variable, which is user-controlled, is used in shell command arguments without proper sanitization or quoting that prevents command substitution. Specifically, the `mkdir -p "$CONFIGS_DIR" "$INVOICES_DIR"` command will execute commands embedded within `INVOICE_DIR` if it contains command substitution syntax like `$(command)`. For example, setting `INVOICE_DIR="/tmp/$(rm -rf /)"` would lead to arbitrary command execution when the script attempts to create the directories. Validate `INVOICE_DIR` to ensure it contains only safe path characters, or use `realpath` to resolve and sanitize the path before using it in shell commands. A simpler approach is to restrict `INVOICE_DIR` to a known safe directory or validate its content to prevent shell metacharacters. | LLM | scripts/generate.sh:16 | |
| HIGH | Arbitrary file read leading to data exfiltration The script allows reading an arbitrary file path provided as the first argument (`$1`) using `cat "$1"`. This file's content is then processed. If the file contains valid JSON, its data is used to generate an HTML template and subsequently a PDF. This allows an attacker to read sensitive files (e.g., `/etc/passwd`, `.env` files, API keys) from the system and have their content rendered into a PDF, which is then returned as the script's output path. Even if the file is not valid JSON, its content is read into memory (`JSON_DATA`), which could still be a vector for information disclosure if error messages or logs expose this data. Restrict the paths that can be provided as input. Instead of allowing arbitrary file paths, enforce that the input file must reside within a specific, controlled directory (e.g., `$INVOICE_DIR/data` or `$CONFIGS_DIR`). Alternatively, implement strict validation of the file path to prevent path traversal (`..`) and absolute paths outside allowed directories. | LLM | scripts/generate.sh:31 | |
| MEDIUM | Unpinned npm dependency version Dependency 'handlebars' is not pinned to an exact version ('^4.7.8'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/tmigone/invoice-generator/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/76b2526d0d403ecf)
Powered by SkillShield