Security Audit
snyk/agent-scan:tests/skills/slack-gif-creator
github.com/snyk/agent-scanTrust Assessment
snyk/agent-scan:tests/skills/slack-gif-creator received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 0 critical, 5 high, 4 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned Python dependency version, Arbitrary File Read/Write via User-Controlled Paths.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on March 1, 2026 (commit 30a672c5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/slack-gif-creator/core/easing.py:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/slack-gif-creator/core/frame_composer.py:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/slack-gif-creator/core/gif_builder.py:5 | |
| HIGH | Arbitrary File Read/Write via User-Controlled Paths The skill's `core/gif_builder.py` and `core/validators.py` modules perform file system operations (`Image.open`, `imageio.imwrite`, `Path.stat`) using paths (`gif_path`, `output_path`) that are highly likely to be derived from untrusted user input. The `SKILL.md` explicitly suggests using `Image.open('file.png')` for user-uploaded images. Without proper sanitization and validation of these paths by the calling LLM agent, a malicious user could specify arbitrary file paths. This could lead to:
- **Data Exfiltration**: Reading sensitive system files (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`) by providing a malicious `gif_path` to `core/validators.py::validate_gif()` or `Image.open()` as suggested in `SKILL.md`.
- **Arbitrary File Write**: Overwriting critical system files or writing malicious content to web server directories by providing a malicious `output_path` to `core/gif_builder.py::save()`.
The skill itself does not implement path validation or sandboxing, relying on the caller (the LLM agent) to ensure path safety. The LLM agent must strictly validate and sanitize all file paths derived from user input before passing them to the skill. This includes: 1. **Path Validation**: Ensure paths are within an allowed, sandboxed directory (e.g., a temporary user-specific directory). 2. **Path Canonicalization**: Resolve any `..` or symlinks to prevent directory traversal. 3. **File Type Validation**: For input files, ensure they are actual image files and not other types. 4. **Sandboxing**: Run the skill in a sandboxed environment with restricted file system access. 5. **Explicit User Confirmation**: For any file write operation, prompt the user for explicit confirmation of the target path. | LLM | core/gif_builder.py:177 | |
| HIGH | Arbitrary File Read/Write via User-Controlled Paths The skill's `core/gif_builder.py` and `core/validators.py` modules perform file system operations (`Image.open`, `imageio.imwrite`, `Path.stat`) using paths (`gif_path`, `output_path`) that are highly likely to be derived from untrusted user input. The `SKILL.md` explicitly suggests using `Image.open('file.png')` for user-uploaded images. Without proper sanitization and validation of these paths by the calling LLM agent, a malicious user could specify arbitrary file paths. This could lead to:
- **Data Exfiltration**: Reading sensitive system files (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`) by providing a malicious `gif_path` to `core/validators.py::validate_gif()` or `Image.open()` as suggested in `SKILL.md`.
- **Arbitrary File Write**: Overwriting critical system files or writing malicious content to web server directories by providing a malicious `output_path` to `core/gif_builder.py::save()`.
The skill itself does not implement path validation or sandboxing, relying on the caller (the LLM agent) to ensure path safety. The LLM agent must strictly validate and sanitize all file paths derived from user input before passing them to the skill. This includes: 1. **Path Validation**: Ensure paths are within an allowed, sandboxed directory (e.g., a temporary user-specific directory). 2. **Path Canonicalization**: Resolve any `..` or symlinks to prevent directory traversal. 3. **File Type Validation**: For input files, ensure they are actual image files and not other types. 4. **Sandboxing**: Run the skill in a sandboxed environment with restricted file system access. 5. **Explicit User Confirmation**: For any file write operation, prompt the user for explicit confirmation of the target path. | LLM | core/validators.py:26 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pillow>=10.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | tests/skills/slack-gif-creator/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'imageio>=2.31.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | tests/skills/slack-gif-creator/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'imageio-ffmpeg>=0.4.9' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | tests/skills/slack-gif-creator/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'numpy>=1.24.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | tests/skills/slack-gif-creator/requirements.txt:4 | |
| INFO | Loosely Pinned Dependencies The `requirements.txt` file uses `>=` for pinning dependencies (`pillow>=10.0.0`, `imageio>=2.31.0`, `imageio-ffmpeg>=0.4.9`, `numpy>=1.24.0`). While this ensures a minimum version, it allows for automatic updates to newer minor or patch versions. A malicious actor could introduce vulnerabilities into a future version of these libraries, which would then be automatically installed without explicit review, posing a supply chain risk. Pin dependencies to exact versions (e.g., `pillow==10.0.0`) to ensure deterministic builds and prevent unexpected updates. Use a lock file (e.g., `pip freeze > requirements.lock`) for production environments. Regularly review and update dependencies. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/c3437f0b87900bf8)
Powered by SkillShield