First Seen
Feb 19, 2026
Last Scanned
Feb 22, 2026
Findings
7
Score
85/100
Findings (7)
Skill can read private data AND execute arbitrary code. This combination enables credential theft via dynamic code.
[reads_private_data] access issues. Use when asked about secrets + [executes_code] subprocess.run(Add input validation between the user-controlled data source and the security-sensitive sink (e.g., file writes, command execution). Implement allowlisting for acceptable input patterns.
Likely FP if the user input passes through explicit validation or sanitization before reaching the sensitive operation, and the taint tracker missed the sanitization step.
Detects pip install of arbitrary packages that modify the host environment
pip3 install kePin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects pip install of arbitrary packages that modify the host environment
pip install kePin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects execution of shell script files via bash/sh command or direct invocation
bash SKILL_DIR/scripts/populate_secrets.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects Python subprocess and os.system calls for command execution in skill descriptions
subprocess.run(Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.
Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.
Detects pip install of arbitrary packages that modify the host environment
pip3 install kePin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects pip install of arbitrary packages that modify the host environment
pip install kePin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.