First Seen
Feb 19, 2026
Last Scanned
Feb 20, 2026
Findings
6
Score
47/100
Findings (6)
Skill can read private data AND execute arbitrary code. This combination enables credential theft via dynamic code.
[reads_private_data] read ~/.ssh + [executes_code] shell=TrueAdd input validation between the user-controlled data source and the security-sensitive sink (e.g., file writes, command execution). Implement allowlisting for acceptable input patterns.
Likely FP if the user input passes through explicit validation or sanitization before reaching the sensitive operation, and the taint tracker missed the sanitization step.
Detects reads of sensitive system or credential files
read ~/.sshPrevent the tool from reading environment variables and sending them to external endpoints. If env access is needed, restrict it to specific variable names via an allowlist.
Likely FP if the match is documentation about how to configure environment variables, not code that reads and transmits them.
Detects skills that both read sensitive credential files and send data to external services
read ~/.ssh + send data to externalBlock access to git credentials, SSH keys, and repository tokens. If git operations are needed, use scoped deploy keys and restrict the tool to specific repositories.
Likely FP if the match is documentation about git configuration (e.g., setting up git credentials helper) rather than code that reads and transmits them.
Detects subprocess calls with shell=True which enables shell injection
shell=TrueReplace shell=True with shell=False and pass command arguments as a list. Validate and sanitize all inputs before passing to the shell.
Likely FP if the match is in documentation describing how subprocess works, or in a comment explaining shell risks rather than actual code.
Detects skills that include unscoped Bash in their allowed tools list (not Bash(cmd:*) scoped)
allowed-tools: Read, Grep, Glob, Bash
Scope the Bash tool to specific commands using allowedTools patterns (e.g., Bash(git *) instead of bare Bash). Remove blanket Bash access from allowed_tools lists.
Likely FP if the Bash entry in allowed_tools is part of a constrained configuration that limits commands elsewhere (e.g., via system prompt restrictions).
Detects skills that include unscoped Bash in their allowed tools list (not Bash(cmd:*) scoped)
allowed-tools` — is Bash Scope the Bash tool to specific commands using allowedTools patterns (e.g., Bash(git *) instead of bare Bash). Remove blanket Bash access from allowed_tools lists.
Likely FP if the Bash entry in allowed_tools is part of a constrained configuration that limits commands elsewhere (e.g., via system prompt restrictions).