First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
3
Score
92/100
Findings (3)
Detects git clone of repositories followed by execution of cloned content
git clone https://git.suckless.org/ii + cd ii && make &&Review the dependency tree for nested or transitive dependencies that introduce risk. Use tools like npm audit or pip-audit to identify known vulnerabilities in the dependency chain.
Likely FP if the flagged dependency is a standard, widely-used library with no known vulnerabilities at the time of scanning.
Detects system-level package installation via brew, apt, yum, or dnf
apt install iPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.
Detects execution of shell script files via bash/sh command or direct invocation
bash scripts/setup.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.