First Seen
Feb 20, 2026
Last Scanned
Feb 22, 2026
Findings
3
Score
77/100
Findings (3)
Skill can read private data (credentials, SSH keys, env vars) AND write to public channels (Slack, Discord, email). This combination enables data exfiltration.
[reads_private_data] access logs for the exposed credential + [writes_public_output] Post to SlackBreak the toxic data flow by adding validation and sanitization between the input source and the sensitive operation. Do not pass untrusted data directly to file system, network, or execution APIs.
Likely FP if the data flow involves only trusted, hardcoded values and the taint analysis over-approximated the untrusted input sources.
Detects accessing git history, diffs, or repo data combined with external transmission
git log + Post to SlackPrevent the tool from accessing and transmitting database contents. If database access is needed, restrict queries to specific tables and block bulk data export.
Likely FP if the skill is a database management tool where querying and displaying data to the user is the documented core feature.
Detects screenshot/screen capture tools combined with upload or transmission
Screenshot + Post to SlackBlock the ability to read and transmit contents of configuration files (.env, config.json, settings.yaml). Implement file path validation to prevent access to sensitive config files.
Likely FP if the skill reads config files to configure itself locally without transmitting the contents externally.