Trust Assessment
parquet-converter received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary File Read via Input Paths, Arbitrary File Write via Output Paths.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Read via Input Paths The skill allows reading from arbitrary file paths provided by the user for various conversion operations (CSV, Excel, JSON, Parquet). A malicious actor could instruct the agent to read sensitive system files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, configuration files) and potentially process their content, leading to data exposure. Implement strict input validation and sandboxing for all file paths. Restrict file operations to a designated, isolated directory. Avoid allowing absolute paths or paths containing '..'. If possible, use a virtual file system or a secure file picker mechanism provided by the agent's execution environment. | LLM | SKILL.md:100 | |
| HIGH | Arbitrary File Write via Output Paths The skill allows writing converted data to arbitrary file paths provided by the user. A malicious actor could instruct the agent to write sensitive data (e.g., converted system files, logs containing sensitive information) to an accessible location, potentially overwriting existing files or facilitating data exfiltration if the output directory is publicly exposed or later accessed by an attacker. Implement strict input validation and sandboxing for all file paths. Restrict file operations to a designated, isolated output directory. Avoid allowing absolute paths or paths containing '..'. Ensure that output directories are not publicly accessible unless explicitly intended and secured by the agent's execution environment. | LLM | SKILL.md:112 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/parquet-converter/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/282aad3bf7809e32)
Powered by SkillShield