Trust Assessment
md-slides received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via `marp` CLI arguments, Risk of Data Exfiltration due to broad file and code execution permissions, Excessive permissions granted to the skill.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via `marp` CLI arguments The skill declares the `code_execution` tool and demonstrates calling the `marp` CLI tool with arguments like filenames (e.g., `marp slides.md -o presentation.pdf`). If the input Markdown file path or the output file path are directly constructed from untrusted user input without proper sanitization, an attacker could inject arbitrary shell commands. This could lead to arbitrary code execution on the host system. Implement strict input validation and sanitization for all arguments passed to `marp` CLI. Use a dedicated library for safe command execution that prevents shell injection. Consider using a temporary, isolated directory for input/output files and strictly controlling file names. If possible, avoid direct shell execution and use a language-specific library for Markdown to presentation conversion. | LLM | SKILL.md:70 | |
| HIGH | Risk of Data Exfiltration due to broad file and code execution permissions The skill declares `file_operations` and `code_execution` tools. The `marp` tool processes Markdown, which can include HTML and potentially other directives that could access local files (e.g., ``). If an attacker can control the Markdown content, they could craft input to read sensitive files from the system. Combined with `code_execution`, this data could then be exfiltrated (e.g., by embedding it in the generated output file, or by using `code_execution` to send it to an external server). Restrict `file_operations` to specific, sandboxed directories. Sanitize or disallow potentially dangerous Markdown/HTML features (like `file://` URLs or script tags) if the `marp` tool allows them. Ensure that the `code_execution` environment is strictly sandboxed and has no network access for exfiltration. Review the `marp` tool's security implications for processing untrusted input. | LLM | Manifest | |
| MEDIUM | Excessive permissions granted to the skill The skill requests `code_execution` and `file_operations` tools. While `marp` is a CLI tool, these permissions are very broad for a skill whose primary function is 'Create presentations from Markdown'. This broad access significantly increases the attack surface, making the skill vulnerable to command injection and data exfiltration if not handled with extreme care. The skill's core functionality might be achievable with more restricted tools or a more controlled execution environment. Re-evaluate if `code_execution` and broad `file_operations` are strictly necessary. If they are, ensure they are used within a highly sandboxed and restricted environment. Consider if a more specialized tool or a library-based approach (if available for Marp) could achieve the same functionality with fewer permissions. Implement strict allow-listing for commands and arguments. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/0a4569a4c7a88ae0)
Powered by SkillShield