First Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
6
Score
54/100
Findings (6)
Skill has destructive capabilities AND can execute arbitrary code. This combination enables ransomware-like attacks.
[destructive] DROP TABLE + [executes_code] subprocess.run(Isolate security-sensitive operations from untrusted data flows. Use separate execution contexts or privilege levels for operations that handle both user input and sensitive resources.
Likely FP if the toxic flow analysis connected two unrelated code paths, or if the data undergoes transformation that removes the taint (e.g., parsed as a known enum value).
Skill can read private data AND execute arbitrary code. This combination enables credential theft via dynamic code.
[reads_private_data] /etc/passwd + [executes_code] subprocess.run(Add input validation between the user-controlled data source and the security-sensitive sink (e.g., file writes, command execution). Implement allowlisting for acceptable input patterns.
Likely FP if the user input passes through explicit validation or sanitization before reaching the sensitive operation, and the taint tracker missed the sanitization step.
Detects path traversal patterns targeting sensitive files, including URL-encoded variants
../../../etc/passwdPin Git dependencies to specific commit hashes instead of branch names or tags. Branches and tags are mutable and can be updated to point to malicious code.
Likely FP if the Git reference points to a tagged release of a well-known repository, though tags are technically mutable.
Detects path traversal patterns targeting sensitive files, including URL-encoded variants
%2e%2e%Pin Git dependencies to specific commit hashes instead of branch names or tags. Branches and tags are mutable and can be updated to point to malicious code.
Likely FP if the Git reference points to a tagged release of a well-known repository, though tags are technically mutable.
Detects Python subprocess and os.system calls for command execution in skill descriptions
subprocess.run(Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.
Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.
Detects outbound connections to non-standard ports
http://127.0.0.1:1337Restrict network connections to standard ports (80, 443) and explicitly allowlisted service ports. Block connections to unusual ports that could indicate covert channels.
Likely FP if the non-standard port is localhost (127.0.0.1) used for local development servers (e.g., port 3000, 8080, 5432 for a local database).