Oathe Security Badge

Is evan715823/cheatsheet-generator-skill safe?

https://github.com/evan715823/cheatsheet-generator-skill

90
SAFE

This is a legitimate educational tool for generating LaTeX cheatsheets from course materials. While it processes potentially untrusted file formats and executes code for PDF/PPTX processing and LaTeX compilation, these are necessary for its stated functionality and the implementation follows reasonable security practices.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

MEDIUM Dynamic Python execution for file processing -15

The skill executes Python code dynamically via bash commands to process PDF and PPTX files. While necessary for the functionality, this could potentially be exploited if malicious content is embedded in input files.

MEDIUM LaTeX compilation of user content -10

The skill compiles LaTeX content using external tools (latexmk) which could potentially execute arbitrary code if malicious LaTeX is generated or injected.

LOW File system access for course materials -10

The skill reads various file formats from the working directory including PDFs, PPTX, and images. Access is limited to the intended functionality.

LOW Local web server exposure -20

The skill starts local Flask web servers on random ports for configuration and editing. While using localhost binding, this creates additional attack surface.