Security Audit

markdown-formatter

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

markdown-formatter received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Node lockfile missing, Excessive File System Permissions, Potential Data Exfiltration via Arbitrary File Read.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

98%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

1 finding

Excessive Permissions

2 findings

Security Findings3

Severity	Finding	Layer	Location
HIGH	Excessive File System Permissions The skill's `formatBatch` function is designed to accept an array of file paths (`markdownFiles`) for processing. The `index.js` file imports the `fs` module, indicating direct file system access. This allows the skill to read arbitrary files from the local file system, which could be exploited by a malicious prompt to access sensitive data outside the skill's intended scope. Restrict file system access to a sandboxed directory or specific file types. Ideally, modify the skill to accept file content as a string parameter rather than file paths, preventing direct arbitrary file system access. If file paths are necessary, implement strict path validation and confinement to a designated, non-sensitive working directory.	LLM	index.js:4
MEDIUM	Potential Data Exfiltration via Arbitrary File Read Building on the excessive file system permissions, the `formatBatch` function's ability to read arbitrary file paths (as described in `SKILL.md`) presents a data exfiltration risk. A malicious prompt could instruct the skill to read sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, configuration files) and potentially include their content in the skill's output or error messages, thereby exfiltrating data. Implement strict input validation for file paths, ensuring they are within an allowed, non-sensitive directory. Avoid returning raw file content in error messages or logs. The most secure approach is to pass file content directly as a string to the skill, rather than allowing it to read files from the file system.	LLM	SKILL.md:105
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/michael-laffin/markdown-formatter/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/77af6b6642d920bc.svg)](https://skillshield.io/report/77af6b6642d920bc)