Trust Assessment
md-to-office received a trust score of 74/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via --pdf-engine argument, Arbitrary File Read/Write and Path Traversal via User-Controlled Paths.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via --pdf-engine argument The skill uses `pandoc` for document conversion, and the documentation explicitly shows examples of using the `--pdf-engine` argument (e.g., `pandoc document.md --pdf-engine=xelatex -o document.pdf`). If the skill allows user-controlled input to specify the value for `--pdf-engine` (e.g., through a function parameter like `options` in `md_to_pdf`), an attacker could provide a path to an arbitrary executable or a malicious script. This would lead to arbitrary command execution on the host system. While the provided `md_to_pdf` example does not explicitly pass `pdf-engine`, the general pattern of passing options to `pandoc` via `subprocess.run` is present, and the documentation highlights this specific argument as a configurable option. Implement strict validation and sanitization for all user-provided arguments passed to `pandoc`, especially for arguments like `--pdf-engine`. Only allow a predefined whitelist of safe engines (e.g., `xelatex`, `wkhtmltopdf`) and ensure the paths to these executables are hardcoded or securely configured, not user-supplied. Avoid passing arbitrary user input directly to `subprocess.run` arguments. | LLM | SKILL.md:108 | |
| HIGH | Arbitrary File Read/Write and Path Traversal via User-Controlled Paths The skill is designed to perform file operations (`file_operations` tool) and uses `subprocess.run` with `pandoc` to read input files and write output files. Functions like `md_to_docx`, `md_to_pdf`, `md_to_pptx`, `batch_convert`, and `generate_report` accept `input_path`, `output_path`, `input_dir`, `output_dir`, and `template` as arguments. If these arguments are directly derived from untrusted user input without proper sanitization, an attacker could: 1. Read arbitrary files by providing a path like `../../../../etc/passwd` as `input_path`. 2. Write arbitrary files by providing a path like `../../../../tmp/malicious_script.sh` or `/etc/cron.d/evil` as `output_path`. 3. Exfiltrate data by writing sensitive input file content to a publicly accessible output location (if the environment allows). 4. Perform path traversal to access files or directories outside the intended working directory. All file paths (`input_path`, `output_path`, `template`, `input_dir`, `output_dir`) derived from user input must be strictly validated. This includes: canonicalizing paths to prevent path traversal (e.g., using `os.path.abspath` and checking against allowed base directories), restricting file operations to a designated, isolated working directory, whitelisting allowed file extensions for output, and ensuring that `template` files are from a trusted source or validated. | LLM | SKILL.md:203 |
Scan History
Embed Code
[](https://skillshield.io/report/0be637fd429c70cd)
Powered by SkillShield