Trust Assessment
pdf-process-mineru received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 4 critical, 6 high, 2 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/baokui/pdf-parser-mineru/script/pdf_parser.py:142 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/baokui/pdf-parser-mineru/script/pdf_parser.py:256 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/baokui/pdf-parser-mineru/script/pdf_parser.py:137 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/baokui/pdf-parser-mineru/script/pdf_parser.py:251 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/baokui/pdf-parser-mineru/script/pdf_parser.py:137 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/baokui/pdf-parser-mineru/script/pdf_parser.py:251 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'parse_to_markdown'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/baokui/pdf-parser-mineru/script/pdf_parser.py:142 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'parse_to_json'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/baokui/pdf-parser-mineru/script/pdf_parser.py:256 | |
| HIGH | Potential Command Injection via User-Controlled Arguments The `_build_command` function in `script/pdf_parser.py` constructs a command list for `subprocess.run` by directly incorporating user-controlled parameters such as `file_path`, `output_dir`, `backend`, and `language`. While `subprocess.run` with a list of arguments is generally safer than `shell=True`, these parameters could be crafted to inject additional command-line options or exploit vulnerabilities in the `mineru` executable itself if it interprets arguments in a shell-like manner or has argument parsing flaws. For example, a malicious `file_path` could be crafted to include `--evil-option` or other command-line flags that alter `mineru`'s behavior or lead to unintended execution. Implement strict validation and sanitization for all user-controlled arguments passed to `subprocess.run`. Ensure `file_path` and `output_dir` are canonicalized and checked against allowed directories. Consider using a whitelist for `backend` and `language` parameters. If possible, avoid passing raw user input directly into command arguments without escaping or validation. | LLM | script/pdf_parser.py:70 | |
| HIGH | Data Exfiltration via Skill Return Value The skill's primary function is to parse PDF documents and return their content, either as Markdown (`markdown_content`) or structured JSON (`pages`). The `file_path` parameter accepts an absolute path, allowing the skill to read any file on the system that the agent has permissions for. If a user or an attacker prompts the LLM to process a sensitive PDF file (e.g., `/etc/passwd.pdf`, `/home/user/secrets.pdf`), the content of that file will be read by the skill and returned as part of the skill's output, leading to direct data exfiltration to the calling agent or LLM. Implement strict access control policies for file paths. Restrict `file_path` and `output_dir` to a designated, isolated directory (e.g., a temporary sandbox or a user-specific data directory) rather than allowing arbitrary absolute paths. Consider redacting sensitive information from the output or providing a mechanism for users to specify allowed file types/locations. | LLM | script/pdf_parser.py:130 | |
| MEDIUM | Excessive Filesystem Permissions The skill accepts `file_path` and `output_dir` as absolute paths, granting it broad read and write access to the filesystem. This allows the skill to read any file and write to any directory that the underlying process has permissions for. This level of access is excessive for a skill that should ideally operate within a more confined scope, increasing the attack surface for unauthorized file access, modification, or deletion. Restrict file system access to a dedicated, isolated directory (e.g., a temporary sandbox or a user-specific data directory). Avoid allowing arbitrary absolute paths for `file_path` and `output_dir`. Implement path validation to ensure paths are within the allowed scope and do not contain directory traversal sequences (e.g., `../`). | LLM | script/pdf_parser.py:100 | |
| MEDIUM | Unpinned Dependencies in Installation Script The `install.sh` script uses unpinned dependencies for `uv` and `mineru[all]` (`pip3 install uv` and `uv pip install -U "mineru[all]"`). The `-U` flag and lack of version pinning mean that the latest available versions of these packages will be installed. This introduces a supply chain risk, as a future malicious or vulnerable version of `uv` or `mineru` could be automatically installed, compromising the skill's security or stability without explicit review. Pin all dependencies to specific versions (e.g., `uv==0.1.0` and `mineru[all]==1.2.3`). Regularly review and update these pinned versions to incorporate security fixes and new features in a controlled manner. Consider using a `requirements.txt` or `pyproject.toml` with locked dependencies. | LLM | install.sh:50 |
Scan History
Embed Code
[](https://skillshield.io/report/2c4b538a4b8d9cf3)
Powered by SkillShield