Security Audit
sundial-org/awesome-openclaw-skills:skills/ai-pdf-builder
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/ai-pdf-builder received a trust score of 17/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Command Injection via CLI arguments, Data Exfiltration via arbitrary file read, Prompt Injection in AI content generation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 53/100, indicating areas for improvement.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via CLI arguments The agent instructions explicitly guide the LLM to construct and execute `npx ai-pdf-builder` commands, interpolating user-provided values for parameters like the `--company` flag, file paths, and AI prompts. If these user inputs are not properly sanitized or escaped before being passed to the shell, an attacker could inject arbitrary shell commands. For example, a malicious user could provide `"; rm -rf /"` as a company name or part of a prompt, leading to arbitrary code execution on the host system. All user-provided strings intended for CLI arguments must be strictly validated and properly escaped for shell execution. Consider using a library that safely constructs command-line arguments or disallow arbitrary user input for sensitive parameters. | Static | SKILL.md:68 | |
| HIGH | Data Exfiltration via arbitrary file read The skill provides `enhance` and `summarize` commands that take file paths as input (e.g., `npx ai-pdf-builder enhance ./draft.md`, `npx ai-pdf-builder summarize ./long-document.md`). The agent instructions also guide the LLM to 'Get the content - either from their message, a file, or use AI to generate' and then 'Send the PDF file to the user'. If the agent is instructed to process an arbitrary file path provided by a malicious user (e.g., `/etc/passwd`, `/var/log/auth.log`, or sensitive application configuration files), it could read and potentially exfiltrate the content of these files by including them in the generated PDF or summary, which is then delivered to the user. Implement strict validation and sandboxing for file paths. Only allow access to files within a designated, non-sensitive directory (e.g., a temporary user-specific workspace). Never allow absolute paths or paths containing `..` to prevent directory traversal. | Static | SKILL.md:56 | |
| MEDIUM | Prompt Injection in AI content generation The skill involves 'AI Content Generation' and 'Enhance Existing Content' using an underlying LLM (Claude, as indicated by `ANTHROPIC_API_KEY`). The agent instructions state 'Get the content - either from their message, a file, or use AI to generate'. If user-provided content (from 'their message' or a file) is directly passed to the underlying Claude LLM for generation, enhancement, or summarization without proper sanitization, it could lead to prompt injection. A malicious user could embed instructions within their content that manipulate the behavior of the Claude LLM, potentially leading to unintended content generation, data disclosure, or other undesirable outcomes. Implement robust input sanitization and validation for all user-provided content before it is passed to the underlying AI model. Use techniques like prompt templating, input filtering, and output validation to mitigate prompt injection risks. | LLM | SKILL.md:46 | |
| LOW | Unpinned `npx` dependency The usage examples instruct the agent to use `npx ai-pdf-builder` without specifying a version. While the manifest declares `version: "1.1.0"`, `npx` by default fetches the latest version of a package if it's not already installed or if a specific version isn't provided. This introduces a supply chain risk where a malicious update to the `ai-pdf-builder` package on npm could be automatically downloaded and executed by the agent, leading to arbitrary code execution or other compromises. Always pin the version of npm packages when executing them via `npx` in automated environments. For example, `npx ai-pdf-builder@1.1.0 check`. Alternatively, ensure the package is installed and version-locked in the environment where the agent operates. | Static | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/a7803776304dd060)
Powered by SkillShield