Security Audit

proompteng/bilig:packages/headless

github.com/proompteng/bilig

AI SkillCommit 5f9f5ec7df11

CAUTION

Scanned 12 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

proompteng/bilig:packages/headless received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 2 medium, and 2 low severity. Key findings include Direct source dependency in package.json, Node lockfile missing, Reliance on Agent for Command Injection Prevention.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on May 18, 2026 (commit 5f9f5ec7). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

84%

Dependency Graph

83%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

4 findings

Shell Execution

2 findings

Dynamic Code

1 finding

Security Findings5

Severity	Finding	Layer	Location
HIGH	Direct source dependency in package.json Dependency '@bilig/core' uses non-registry source 'workspace:*', which increases supply-chain risk. Prefer vetted registry releases pinned to exact versions.	Dependencies	packages/headless/package.json
MEDIUM	Reliance on Agent for Command Injection Prevention The skill's `SKILL.md` explicitly warns against concatenating user text for shell commands and recommends using `args` arrays for safety. The provided examples for `bilig-workpaper-mcp` and `bilig-formula-clinic` correctly use `args` arrays. However, these commands take user-provided file paths (e.g., `./pricing.workpaper.json`, `./reduced.xlsx`) and cell references. If the AI agent implementing this skill does not strictly adhere to the 'Command Safety' guidelines (specifically, 'validate workbook paths before use, and reject values containing newlines, backticks, `$(`, `;`, `&`, `\|`, `<`, or `>`), a malicious user could inject arbitrary commands or paths. The risk lies in the agent's implementation of the safety guidance, not directly in the skill's recommendation. Ensure the AI agent strictly validates and sanitizes all user-provided input (file paths, cell references, etc.) before passing them to any external command or function. Implement robust input validation to reject any characters or patterns that could lead to command injection or arbitrary file access. The skill's 'Command Safety' section provides excellent guidance that must be rigorously followed by the agent.	Static	SKILL.md:23
MEDIUM	Direct CDN Dependency for Critical Package The `package.json` file specifies the `xlsx` dependency using a direct URL to a `.tgz` file hosted on a CDN (`https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz`). While the version is pinned, relying on a CDN for a critical package instead of a package registry (like npm or yarn) introduces a supply chain risk. If the CDN is compromised or the `.tgz` file at that URL is replaced with a malicious version, the integrity of the dependency is compromised. Standard package managers typically verify package integrity using checksums against a registry, which is harder to do with direct CDN links. Consider hosting the `xlsx` package in a private registry or mirroring it, or if possible, switch to a standard npm registry dependency for `xlsx` if available and maintained. If a direct CDN link is unavoidable, implement robust integrity checks (e.g., Subresource Integrity (SRI) for browser-side assets, or cryptographic hash verification for Node.js dependencies) to ensure the downloaded package has not been tampered with.	Static	package.json:59
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	packages/headless/package.json
LOW	Potential for Local File Content Exposure via Report The `bilig-formula-clinic` tool, as described in `SKILL.md` and confirmed by `formula-clinic-cli.test.ts`, reads local XLSX files to generate a report. While the skill explicitly states that the report 'does not upload workbook contents' and advises using 'reduced public fixture rather than private customer spreadsheets', the tool does read the content of the specified file. If the AI agent fails to validate and sanitize user-provided file paths (as warned in 'Command Safety'), a malicious user could provide a path to a sensitive local file (e.g., `/etc/passwd`). The tool would then attempt to read this file and include its contents in the local report, which the agent might then inadvertently expose to the user or other systems. Reinforce the importance of strict input validation for file paths provided by users. The agent must ensure that only intended and safe file paths are processed by the `bilig-formula-clinic` tool. Consider implementing a whitelist of allowed file extensions or directories if applicable, and always sanitize paths to prevent directory traversal attacks.	Static	SKILL.md:59

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0c83b4b057687324.svg)](https://skillshield.io/report/0c83b4b057687324)