Trust Assessment
legaldoc-ai received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 25 findings: 3 critical, 4 high, 16 medium, and 2 low severity. Key findings include Arbitrary command execution, Missing required field: name, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Dependency Graph layer scored lowest at 9/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings25
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/manas-io-ai/legaldoc-ai/execution/clause_extractor.py:238 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/manas-io-ai/legaldoc-ai/execution/document_summarizer.py:149 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/manas-io-ai/legaldoc-ai/execution/legaldoc.py:50 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'load_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/manas-io-ai/legaldoc-ai/execution/clause_extractor.py:238 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'load_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/manas-io-ai/legaldoc-ai/execution/document_summarizer.py:149 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_component'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/manas-io-ai/legaldoc-ai/execution/legaldoc.py:50 | |
| HIGH | Path Traversal leading to Data Exfiltration The `load_document` function, used by both `clause_extractor.py` and `document_summarizer.py`, directly uses user-provided `file_path` arguments with `Path(file_path).read_text()`. An attacker can provide a path traversal sequence (e.g., `../../../../etc/passwd`) to read arbitrary files on the system. The content of these files would then be processed by the skill and potentially included in summaries or clause extractions, which could be returned to the user or logged, leading to sensitive data disclosure. Implement strict validation and sanitization for all user-provided file paths. Ensure that file paths are restricted to an allowed directory (e.g., a sandboxed upload folder) and do not contain path traversal sequences (`..`, absolute paths outside the designated sandbox). Consider using `os.path.abspath` combined with `os.path.commonprefix` to verify paths. | LLM | execution/document_summarizer.py:100 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/manas-io-ai/legaldoc-ai/SKILL.md:1 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/manas-io-ai/legaldoc-ai/execution/legal_research.py:16 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pypdf>=3.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:9 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-docx>=0.8.11' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:12 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pytesseract>=0.3.10' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:15 | |
| MEDIUM | Unpinned Python dependency version Requirement 'Pillow>=9.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:16 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.28.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:22 | |
| MEDIUM | Unpinned Python dependency version Requirement 'urllib3>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:23 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dateutil>=2.8.2' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:26 | |
| MEDIUM | Unpinned Python dependency version Requirement 'PyYAML>=6.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:29 | |
| MEDIUM | Unpinned Python dependency version Requirement 'rich>=13.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:32 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pytest>=7.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:35 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pytest-cov>=4.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:36 | |
| MEDIUM | Unpinned Python dependency version Requirement 'black>=23.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:37 | |
| MEDIUM | Unpinned Python dependency version Requirement 'mypy>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manas-io-ai/legaldoc-ai/requirements.txt:38 | |
| MEDIUM | Sensitive Data Sent to Third-Party API The `legal_research.py` script sends user-provided queries to the `COURTLISTENER_API`. While the query is URL-encoded, if a user includes sensitive or proprietary information in their research query, that data will be transmitted to a third-party service (CourtListener). This constitutes data exfiltration of potentially confidential information. Implement strict input sanitization and PII (Personally Identifiable Information) detection for research queries. Clearly inform users that their queries are sent to third-party services and advise against including sensitive information. Consider offering an on-premise or private research option for highly sensitive data. | LLM | execution/legal_research.py:200 | |
| LOW | Presence of Multiple API Keys and Webhooks The skill utilizes several API keys (`LEGALDOC_API_KEY`, `WESTLAW_API_KEY`, `LEXIS_API_KEY`, `COURTLISTENER_API_KEY`, `CLIO_API_KEY`) and a `slack_webhook` URL, primarily read from environment variables or configuration files. While these are used for their intended purpose (external API calls), the presence and handling of multiple sensitive credentials increase the attack surface. Any compromise of the skill's runtime environment could expose these keys, leading to unauthorized access to integrated services. Ensure all API keys and webhooks are stored securely (e.g., using a dedicated secrets management service) and never hardcoded or logged. Implement least privilege access for the skill's runtime environment, granting access only to necessary secrets. Rotate API keys regularly. | LLM | SKILL.md:140 | |
| LOW | Unpinned Dependencies in requirements.txt The `requirements.txt` file specifies dependencies using loose version constraints (e.g., `pypdf>=3.0.0`). This 'unpinned' approach means that future installations could pull in newer, potentially vulnerable, or even malicious versions of these libraries without explicit review. This increases the risk of supply chain attacks or unexpected breaking changes. Pin all dependencies to exact versions (e.g., `pypdf==3.1.0`) to ensure reproducible builds and prevent unexpected updates. Regularly audit and update dependencies to benefit from security patches while maintaining control over the versions used. Consider using a dependency lock file (e.g., `Pipfile.lock` or `poetry.lock`). | LLM | requirements.txt:5 |
Scan History
Embed Code
[](https://skillshield.io/report/1a8476c10ed7528e)
Powered by SkillShield