Trust Assessment
smart-image-loader received a trust score of 43/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 3 high, 1 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Potential data exfiltration: file read + network send, LLM instructed to use `exec` with untrusted file path for cleanup.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | LLM instructed to use `exec` with untrusted file path for cleanup The `SKILL.md` explicitly instructs the host LLM to perform cleanup using `exec` with `rm <file_path>`. The `file_path` returned by the `smart_image_loader.py` script can be influenced by untrusted user input (as demonstrated by the local file path traversal and `file://` URL vulnerabilities). If an attacker can craft an `input_str` that results in a `file_path` containing shell metacharacters (e.g., `/tmp/image; rm -rf /`), and the LLM follows the instruction to execute `rm <file_path>`, it would lead to arbitrary command execution on the host system. Never instruct the LLM to use `exec` with untrusted input. If cleanup is required, it should be handled internally by the Python script using safe functions like `os.remove()`, or by a dedicated, sandboxed cleanup mechanism that does not involve direct shell execution with user-controlled input. The Python script already has a `cleanup_file` function; the LLM should be instructed to rely on the script's internal cleanup mechanisms or a safe tool. | LLM | SKILL.md:97 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_image' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/tingwei1123/smart-image-loader/scripts/smart_image_loader.py:54 | |
| HIGH | Local file path traversal leading to arbitrary file read The skill allows users to specify local file paths. The `smart_load_image` function resolves relative paths to absolute paths (`os.path.join(os.getcwd(), file_path)`) and then checks for existence. The `SKILL.md` instructs the LLM to use the `read` tool on the returned `file_path`. An attacker can provide a path like `../../../../etc/passwd` or `/etc/passwd`. The script will validate its existence and return the absolute path, which the LLM will then attempt to read using the `read` tool, leading to the exfiltration of sensitive system files. Implement strict path validation to ensure that local file paths are confined to an allowed directory (e.g., a designated workspace or image directory) and do not allow traversal outside this boundary. Alternatively, use a tool that specifically handles image display and does not expose arbitrary file reading capabilities. | LLM | scripts/smart_image_loader.py:97 | |
| HIGH | Arbitrary file read via `file://` URL scheme The `smart_image_loader.py` script uses `urllib.request.urlretrieve` to download images from URLs. This function supports the `file://` URL scheme. An attacker can provide a URL like `file:///etc/passwd`. The script will attempt to 'download' this local file to a temporary directory. The path to this temporary file is then returned by the script, and the `SKILL.md` instructs the LLM to use the `read` tool on this path. This allows an attacker to read the content of arbitrary local files by tricking the skill into downloading them to a temporary location and then exposing that temporary path to the `read` tool. Restrict the allowed URL schemes to only `http` and `https` within the `is_url` function or before calling `urllib.request.urlretrieve`. Do not allow `file://` or other potentially dangerous schemes. | LLM | scripts/smart_image_loader.py:39 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/tingwei1123/smart-image-loader/scripts/smart_image_loader.py:14 |
Scan History
Embed Code
[](https://skillshield.io/report/f28b8d30bdb714f7)
Powered by SkillShield