simpo-training

skills-sh:davila7_claude-code-templates__simpo-training

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Git clone and execute chain SUPPLY_012

supply-chain L29

Detects git clone of repositories followed by execution of cloned content

git
clone https://github.com/huggingface/alignment-handbook.git + pip
install
.

FIX

Review the dependency tree for nested or transitive dependencies that introduce risk. Use tools like npm audit or pip-audit to identify known vulnerabilities in the dependency chain.

FP?

Likely FP if the flagged dependency is a standard, widely-used library with no known vulnerabilities at the time of scanning.

LOW

pip install arbitrary package EXTDL_009

external-download L41

Detects pip install of arbitrary packages that modify the host environment

pip
install
fl

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.