Trust Assessment
transcribee received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Unsanitized user input passed to shell command in wrapper script, LLM-generated file paths are not validated, allowing arbitrary file writes.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unsanitized user input passed to shell command in wrapper script The `transcribe.sh` wrapper script directly passes the first command-line argument (`$1`) to `pnpm exec tsx index.ts "$1"`. If the user-provided input contains shell metacharacters (e.g., `;`, `|`, `&`, `$(...)`), these will be interpreted by the bash shell before `tsx` is executed, leading to arbitrary command execution. For example, `transcribe "; rm -rf /"` would execute `rm -rf /`. Modify `transcribe.sh` to ensure user input is not subject to shell interpretation. The safest approach is to remove the wrapper script and have the agent directly call `pnpm exec tsx index.ts <input>`, as `index.ts` correctly processes arguments via `process.argv` which is not vulnerable to shell injection. If the wrapper is strictly necessary, ensure `$1` is properly escaped for shell execution, though this is generally more complex and error-prone than direct execution. | LLM | transcribe.sh:24 | |
| HIGH | LLM-generated file paths are not validated, allowing arbitrary file writes The skill uses an LLM (Anthropic) to classify content and suggest `folderName` and `newTranscriptPath` (as indicated by the `ThemeClassification` and `OrganizationPlan` interfaces). The `newTranscriptPath` is then used to construct the final directory for saving transcripts, typically by joining it with `BASE_TRANSCRIPTS_DIR` (e.g., `path.join(BASE_TRANSCRIPTS_DIR, newTranscriptPath)`). If a malicious prompt or input leads the LLM to generate a `newTranscriptPath` containing directory traversal sequences (e.g., `../../.ssh`), the skill could write sensitive files (transcripts, metadata) to arbitrary locations outside the intended `~/Documents/transcripts` directory. This could lead to data exfiltration, overwriting system files, or other forms of arbitrary file write vulnerabilities. Implement strict validation and sanitization of LLM-generated paths. After receiving `newTranscriptPath` from the LLM, normalize the path (e.g., using `path.normalize`) and then verify that the resolved path remains strictly within the `BASE_TRANSCRIPTS_DIR`. For example, check if `resolvedPath.startsWith(BASE_TRANSCRIPTS_DIR + path.sep)` to prevent directory traversal. Additionally, consider restricting the LLM's output for path components to alphanumeric characters and a limited set of safe symbols, and explicitly disallow directory separators. | LLM | index.ts:70 | |
| MEDIUM | Unpinned npm dependency version Dependency '@anthropic-ai/sdk' is not pinned to an exact version ('^0.67.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/itsfabioroma/transcribee/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/3f06d7e298fab6ac)
Powered by SkillShield