B
85/100 First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
1
Score
85/100
HIGH 1
Findings (1)
HIGH
Private data read with code execution
L279 Skill can read private data AND execute arbitrary code. This combination enables credential theft via dynamic code.
[reads_private_data] load } = await jwtVerify(token, secret + [executes_code] exec( FIX
Add input validation between the user-controlled data source and the security-sensitive sink (e.g., file writes, command execution). Implement allowlisting for acceptable input patterns.
FP?
Likely FP if the user input passes through explicit validation or sanitization before reaching the sensitive operation, and the taint tracker missed the sanitization step.