Trust Assessment
openkm-rest received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Suspicious import: requests, Prompt Injection leading to Command Injection, Prompt Injection leading to Credential Harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection leading to Command Injection The skill explicitly states it uses 'shell calls' to `openkm_cli.py`. If the LLM is prompted to include shell metacharacters (e.g., `;`, `&&`, `|`) within arguments passed to `openkm_cli.py` (e.g., `--local-path`, `--folder-path`), these metacharacters could be interpreted by the shell executing the `python3` command, leading to arbitrary command execution on the host system. While `openkm_cli.py` itself uses `argparse` and `urllib.parse.quote` for its internal API calls, the initial invocation is a shell command, making it vulnerable to prompt injection at the execution boundary. Avoid direct shell execution of LLM-generated commands. Instead, use a more controlled execution environment, such as a sandboxed Python interpreter, or validate and sanitize all LLM-generated arguments before constructing and executing shell commands. Consider using `subprocess.run` with `shell=False` and passing arguments as a list. | LLM | SKILL.md:10 | |
| CRITICAL | Prompt Injection leading to Credential Harvesting The `openkm_cli.py` script accepts `--base-url`, `--username`, and `--password` as command-line arguments. Although these default to environment variables, an LLM could be prompted to override `--base-url` with an attacker-controlled URL. If this occurs, the `requests` library will send the OpenKM username and password (either from environment variables or also overridden by prompt injection) to the malicious server, exfiltrating sensitive credentials. Prevent the LLM from overriding sensitive configuration arguments like `--base-url`, `--username`, or `--password`. These should be fixed by the skill developer or securely retrieved from a secrets manager, not exposed as user-modifiable arguments. Implement strict input validation and sanitization for all LLM-provided arguments. | LLM | openkm_cli.py:200 | |
| HIGH | Arbitrary File Read (Data Exfiltration) The `upload` command in `openkm_cli.py` takes a `--local-path` argument, which is directly used to open and read a file from the local filesystem (`with open(local_path, 'rb') as f:`). If an LLM is prompted to provide a sensitive file path (e.g., `/etc/passwd`, `/app/secrets.txt`), the skill will read the content of that file and upload it to the configured OpenKM instance, leading to data exfiltration. Restrict the `--local-path` argument to a predefined, sandboxed directory or implement strict validation to ensure it only points to allowed files. Avoid allowing arbitrary file paths from untrusted input. Consider using a temporary file system or a dedicated upload directory. | LLM | openkm_cli.py:90 | |
| HIGH | Arbitrary File Write (Excessive Permissions) The `download` command in `openkm_cli.py` takes a `--local-path` argument, which is directly used to open and write a file to the local filesystem (`with open(local_path, 'wb') as f:`). If an LLM is prompted to provide a sensitive file path (e.g., `/etc/shadow`, `/root/.ssh/authorized_keys`), the skill will attempt to write the downloaded document content to that path, potentially overwriting critical system files, injecting malicious content, or causing denial of service by filling up disk space. Restrict the `--local-path` argument to a predefined, sandboxed directory or implement strict validation to ensure it only points to allowed files. Avoid allowing arbitrary file paths from untrusted input. Consider using a temporary file system or a dedicated download directory. | LLM | openkm_cli.py:108 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/pes0/openkm-rest/openkm_cli.py:6 |
Scan History
Embed Code
[](https://skillshield.io/report/7d6465981f85b3a7)
Powered by SkillShield