Trust Assessment
paperless-ngx received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary File Read via Upload, Arbitrary File Write via Download, Potential Command Injection via LLM Invocation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary File Read via Upload The `upload.mjs` script takes a file path as a positional argument (`<file>`) and directly reads its content using `statSync` and `readFile`. An attacker could provide a path to an arbitrary sensitive file (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) on the agent's filesystem, leading to its upload and potential exfiltration through the Paperless-ngx instance. Implement strict validation and sanitization of the `filePath` argument. Restrict file uploads to a designated, isolated directory, or ensure that only files explicitly provided by the user (e.g., via a secure file picker) can be uploaded. Prevent path traversal sequences (e.g., `../`). | LLM | scripts/upload.mjs:40 | |
| CRITICAL | Arbitrary File Write via Download The `download.mjs` script allows specifying an arbitrary output path via the `--output` argument. An attacker could use path traversal sequences (e.g., `../../../../tmp/malicious.pdf`) to write files to unintended or sensitive locations on the agent's filesystem, potentially overwriting critical system files or user data. Implement strict validation and sanitization of the `--output` path argument. Restrict downloads to a designated, isolated directory, or ensure that paths do not contain traversal sequences (e.g., `../`). | LLM | scripts/download.mjs:60 | |
| HIGH | Potential Command Injection via LLM Invocation The `SKILL.md` provides examples of executing Node.js scripts via `node {baseDir}/scripts/...` with user-controlled arguments (e.g., `"query"`, `--title "..."`, `--tags "a,b"`). If the host LLM constructs these shell commands by directly interpolating user input without proper escaping (e.g., handling quotes, semicolons, backticks, or other shell metacharacters), it could lead to command injection, allowing an attacker to execute arbitrary shell commands. The host LLM must strictly quote and escape all user-provided arguments when constructing shell commands for execution. Alternatively, the skill's scripts could implement more robust input validation to reject or sanitize potentially malicious shell metacharacters, although the primary defense should be at the command invocation layer. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/5bc907d629c50a2d)
Powered by SkillShield