First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
15
Score
0/100
Findings (15)
Skill has destructive capabilities AND can execute arbitrary code. This combination enables ransomware-like attacks.
[destructive] rm -rf / + [executes_code] subprocess.run(Isolate security-sensitive operations from untrusted data flows. Use separate execution contexts or privilege levels for operations that handle both user input and sensitive resources.
Likely FP if the toxic flow analysis connected two unrelated code paths, or if the data undergoes transformation that removes the taint (e.g., parsed as a known enum value).
Skill can read private data (credentials, SSH keys, env vars) AND write to public channels (Slack, Discord, email). This combination enables data exfiltration.
[reads_private_data] access keys + secret + [writes_public_output] hooks.slack.com/services/Break the toxic data flow by adding validation and sanitization between the input source and the sensitive operation. Do not pass untrusted data directly to file system, network, or execution APIs.
Likely FP if the data flow involves only trusted, hardcoded values and the taint analysis over-approximated the untrusted input sources.
Skill can read private data AND execute arbitrary code. This combination enables credential theft via dynamic code.
[reads_private_data] access keys + secret + [executes_code] subprocess.run(Add input validation between the user-controlled data source and the security-sensitive sink (e.g., file writes, command execution). Implement allowlisting for acceptable input patterns.
Likely FP if the user input passes through explicit validation or sanitization before reaching the sensitive operation, and the taint tracker missed the sanitization step.
Detects attempts to override or ignore previous instructions
override system instructionsRemove the injection payload from the skill definition. Text that attempts to reset agent context or override prior directives is a direct attack vector.
Likely FP if the text is in a security tutorial or research paper discussing injection techniques as examples, not in an active skill description.
Detects attempts to override or ignore previous instructions
Ignore all previous instructionsRemove the injection payload from the skill definition. Text that attempts to reset agent context or override prior directives is a direct attack vector.
Likely FP if the text is in a security tutorial or research paper discussing injection techniques as examples, not in an active skill description.
Detects common jailbreak prompt patterns
developer modeRemove directives that attempt to exfiltrate data through the agent's response (e.g., asking the agent to embed credentials in URLs or include secret values in output).
Likely FP if the text is a legitimate tool instruction about displaying configuration to the user (e.g., show current settings) without external transmission.
Detects PEM-encoded private keys
-----BEGIN RSA PRIVATE KEY-----Remove the private key block from the skill definition. Store private keys in a secrets manager or encrypted volume and reference them via environment variables.
Likely FP if the match is a documentation example showing the format of a PEM block without a real key body.
Detects path traversal patterns targeting sensitive files, including URL-encoded variants
../../../etc/passwdPin Git dependencies to specific commit hashes instead of branch names or tags. Branches and tags are mutable and can be updated to point to malicious code.
Likely FP if the Git reference points to a tagged release of a well-known repository, though tags are technically mutable.
Detects reading files piped directly to network commands
cat file | ncRestrict file uploads to user-initiated actions with explicit confirmation. Block programmatic upload of sensitive files (keys, configs, credentials) to external services.
Likely FP if the skill is a file-sharing tool where uploading is the documented core feature and destinations are user-configured.
Detects path traversal patterns targeting sensitive files, including URL-encoded variants
../../../etc/passwdPin Git dependencies to specific commit hashes instead of branch names or tags. Branches and tags are mutable and can be updated to point to malicious code.
Likely FP if the Git reference points to a tagged release of a well-known repository, though tags are technically mutable.
Detects conditional execution based on CI environment variables combined with dangerous commands
eval(Pin all dependencies to exact versions with integrity hashes. Use lock files (package-lock.json, poetry.lock) and enable checksum verification in your package manager.
Likely FP if the match is documentation about dependency management best practices rather than actual unpinned dependency declarations.
Detects execution of shell script files via bash/sh command or direct invocation
./install-hooks.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects outbound connections to non-standard ports
nc attacker.com 1234Restrict network connections to standard ports (80, 443) and explicitly allowlisted service ports. Block connections to unusual ports that could indicate covert channels.
Likely FP if the non-standard port is localhost (127.0.0.1) used for local development servers (e.g., port 3000, 8080, 5432 for a local database).
Detects eval() or exec() used for dynamic code execution
eval(mReplace eval()/exec() with a safer alternative such as json.loads(), ast.literal_eval(), or a purpose-built parser.
Likely FP if the matched text contains 'exec' as part of a word (e.g., 'execute', 'execution') rather than an actual eval() or exec() call.
Detects Python subprocess and os.system calls for command execution in skill descriptions
subprocess.run(Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.
Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.