Trust Assessment
media-converter received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Path Traversal leading to Arbitrary File Renaming, Path Traversal leading to Arbitrary File Write.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Path Traversal leading to Arbitrary File Renaming The skill directly uses a user-provided file path (`filePath`) in `fs.renameSync` after deriving directory and base name components. An attacker can use path traversal sequences (e.g., `../../../`) in the `filePath` argument to rename arbitrary files outside the intended working directory. For example, providing `--file /tmp/foo/../../../../etc/passwd` could lead to renaming `/etc/passwd` to `/etc/passwd.jpg` (if the detected MIME type is JPEG). Sanitize and validate the `filePath` argument to ensure it refers to a file within an allowed, restricted directory. Resolve the path to its absolute form and verify it is a child of a designated safe directory before performing any file operations. Consider using a library that provides secure path handling. | LLM | index.js:50 | |
| CRITICAL | Path Traversal leading to Arbitrary File Write The `gifToPng` function in `lib/convert.js` constructs an `outputPath` for `image.writeAsync` using components derived from a user-controlled `inputPath`. If the `inputPath` contains path traversal sequences (e.g., `../../../`), an attacker can cause the converted image file to be written to an arbitrary location on the filesystem. For example, providing `--file /tmp/foo/../../../../etc/passwd` could lead to writing a PNG file to `/etc/passwd_converted.png`. Before constructing `outputPath`, sanitize and validate the `inputPath` to ensure it refers to a file within an allowed, restricted directory. Resolve the path to its absolute form and verify it is a child of a designated safe directory. Ensure that the output directory for converted files is also restricted and validated. | LLM | lib/convert.js:19 | |
| HIGH | Path Traversal leading to Arbitrary File Read The `detectMime` function in `lib/magic.js` directly uses a user-provided `filePath` in `fs.openSync` and `fs.readSync`. An attacker can use path traversal sequences (e.g., `../../../`) in the `filePath` argument to read the first 12 bytes of arbitrary files on the system. While only a small portion is read, this confirms file existence and could potentially leak partial data from sensitive files like `/etc/passwd`. Sanitize and validate the `filePath` argument to ensure it refers to a file within an allowed, restricted directory. Resolve the path to its absolute form and verify it is a child of a designated safe directory before attempting to open or read the file. | LLM | lib/magic.js:9 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/autogame-17/media-converter/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/ca08531119e73301)
Powered by SkillShield