First Seen
Feb 20, 2026
Last Scanned
Feb 22, 2026
Findings
4
Score
85/100
Findings (4)
Skill can read private data (credentials, SSH keys, env vars) AND write to public channels (Slack, Discord, email). This combination enables data exfiltration.
[reads_private_data] access
credentials + [writes_public_output] send --to "your-emailBreak the toxic data flow by adding validation and sanitization between the input source and the sensitive operation. Do not pass untrusted data directly to file system, network, or execution APIs.
Likely FP if the data flow involves only trusted, hardcoded values and the taint analysis over-approximated the untrusted input sources.
Detects global installation of packages which affects the host system
npm install -g gReplace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.
Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.
Detects URLs fetched at runtime that control or influence agent behavior without pinning
Download from https:// + configAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.
Detects CLI tools granting unrestricted send/read access to email or messaging
gmail send --toRestrict email and messaging API access to user-initiated actions. Prevent automated sending that could exfiltrate data via email body or attachments.
Likely FP if the skill is an email client or messaging tool whose documented purpose is to send messages on behalf of the user.