Trust Assessment
remarkable received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unpinned third-party binary download, Unpinned Python package dependencies, Potential command injection via unsanitized file operations.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned third-party binary download The skill recommends downloading the `rmapi` binary directly from a GitHub release using `curl -L` without specifying a version or verifying its integrity (e.g., via checksums or GPG signatures). This introduces a supply chain risk, as a compromise of the GitHub repository or the `ddvk` account could lead to the distribution of malicious binaries. The use of `/latest/download/` further exacerbates this by not pinning to a specific version. Recommend downloading a specific, version-pinned binary and verifying its integrity using a cryptographic hash or signature. Alternatively, use a package manager if available. | LLM | SKILL.md:49 | |
| HIGH | Potential command injection via unsanitized file operations The skill demonstrates executing shell commands (`unzip`, `rmc`, `rmapi`) with arguments that are derived from untrusted sources (e.g., downloaded `.rmdoc` files, or user-provided filenames/paths). If these arguments are not rigorously sanitized or escaped, an attacker could inject shell metacharacters to execute arbitrary commands or perform path traversal. For example:
- `unzip "MyNotebook.rmdoc"`: If `MyNotebook.rmdoc` contains malicious path traversal sequences (e.g., `../../evil.sh` within its archive structure), `unzip` could write files to arbitrary locations.
- `rmc ... "extracted/<doc-uuid>/<page-uuid>.rm"`: The path to the `.rm` file is constructed from components extracted from the untrusted `.rmdoc`. If these components contain shell metacharacters or path traversal, `rmc` could be exploited.
- `rmapi put document.pdf "Target Folder/"`: If `document.pdf` or `Target Folder/` are directly taken from user input without sanitization, shell metacharacters could lead to command injection. All arguments passed to shell commands that originate from untrusted input (user input, downloaded file contents, external APIs) must be rigorously sanitized or properly escaped to prevent shell metacharacters from being interpreted as commands. For file paths, ensure they are canonicalized and restricted to expected directories. Consider using safer alternatives like Python's `subprocess` module with `shell=False` and passing arguments as a list. | LLM | SKILL.md:120 | |
| MEDIUM | Unpinned Python package dependencies The skill instructs to install Python packages (`rmc`, `cairosvg`, `pillow`) using `pip install --user` without specifying version numbers. This can lead to unexpected behavior, breaking changes, or even the installation of malicious versions if a package maintainer account is compromised or a typosquatting attack occurs. Pin all Python dependencies to specific versions (e.g., `rmc==X.Y.Z`) to ensure reproducible and secure installations. | LLM | SKILL.md:57 |
Scan History
Embed Code
[](https://skillshield.io/report/26e6de08644aefff)
Powered by SkillShield