Trust Assessment
pdf received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 1 medium, and 1 low severity. Key findings include Potential Command Injection via external CLI tools, Potential Command Injection via `pdf2image` library, Broad File System Access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via external CLI tools The `SKILL.md` documentation demonstrates the use of several command-line tools (`pdftotext`, `qpdf`, `pdftk`, `pdfimages`) within `bash` code blocks. If the arguments to these commands (e.g., input/output filenames, page ranges) are derived directly from untrusted user input without proper sanitization, an attacker could inject arbitrary shell commands. For example, providing `"; rm -rf /"` as a filename could lead to critical system compromise. When invoking external command-line tools, ensure all arguments derived from untrusted input are strictly validated and properly escaped or quoted to prevent shell metacharacter interpretation. Consider using a library's safe API for subprocess execution or a dedicated shell escaping utility. | LLM | SKILL.md:108 | |
| HIGH | Potential Command Injection via `pdf2image` library The `scripts/convert_pdf_to_images.py` script uses the `pdf2image` library, which internally relies on external command-line tools like `poppler-utils` (`pdftoppm`) to convert PDFs to images. The `pdf_path` and `output_dir` arguments are taken directly from `sys.argv`. If these arguments are controlled by an untrusted user and contain shell metacharacters, it could lead to command injection through the underlying subprocess calls made by `pdf2image`. Sanitize `pdf_path` and `output_dir` before passing them to `pdf2image` functions. Ensure they are valid file paths and do not contain any shell metacharacters. If `pdf2image` provides a way to pass arguments as a list (like `subprocess.run(..., shell=False)`), prefer that. | LLM | scripts/convert_pdf_to_images.py:28 | |
| MEDIUM | Broad File System Access The skill's functionality, as described in `SKILL.md` and implemented in the Python scripts, involves reading and writing various file types (PDFs, images, JSON, text) to arbitrary paths specified by arguments. This grants the skill broad read/write access to the file system. While necessary for its intended purpose, it increases the attack surface. A compromised skill could potentially read sensitive files or overwrite critical system files. Implement strict input validation for all file paths provided to the skill. Restrict file operations to specific, designated directories (e.g., a sandbox or temporary directory) if possible. Avoid allowing arbitrary file path inputs from untrusted sources. | LLM | SKILL.md:10 | |
| LOW | Runtime Modification of Third-Party Library The `scripts/fill_fillable_fields.py` script includes a `monkeypatch_pydpf_method()` function that modifies the `pypdf.generic.DictionaryObject.get_inherited` method at runtime. While the stated purpose is to fix a specific bug in `pypdf`, runtime patching of external libraries can introduce fragility, make debugging harder, and, if the patch itself were malicious or flawed, could lead to security vulnerabilities or unexpected behavior. This is a form of hidden instruction or supply chain risk if the patch source is not fully trusted. Prefer to use official releases of libraries that have bug fixes integrated. If a patch is absolutely necessary, ensure it is thoroughly reviewed, documented, and ideally contributed upstream. Minimize runtime modifications to third-party code. | LLM | scripts/fill_fillable_fields.py:99 |
Scan History
Embed Code
[](https://skillshield.io/report/846f261f3caa7474)
Powered by SkillShield