nima-core

clawhub:nima-core

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 7

Findings (7)

LOW

pip install arbitrary package EXTDL_009

external-download L19

Detects pip install of arbitrary packages that modify the host environment

pip install ni

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

LOW

pip install arbitrary package EXTDL_009

external-download L22

Detects pip install of arbitrary packages that modify the host environment

pip install ni

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

LOW

Shell script file execution CMDEXEC_013

command-execution L29

Detects execution of shell script files via bash/sh command or direct invocation

./install.sh

FIX

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

FP?

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.

LOW

pip install arbitrary package EXTDL_009

external-download L209

Detects pip install of arbitrary packages that modify the host environment

pip install ni

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

LOW

Shell script file execution CMDEXEC_013

command-execution L210

Detects execution of shell script files via bash/sh command or direct invocation

./install.sh

FIX

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

FP?

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.

LOW

pip install arbitrary package EXTDL_009

external-download L215

Detects pip install of arbitrary packages that modify the host environment

pip install ni

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

LOW

Shell script file execution CMDEXEC_013

command-execution L216

Detects execution of shell script files via bash/sh command or direct invocation

./install.sh

FIX

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

FP?

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.