security-scanning-security-sast
skills-sh:sickn33_antigravity-awesome-skills__security-scanning-security-sast
View sourceFirst Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
14
Score
69/100
Findings (14)
Code block labeled "markdown" contains executable content
rules:
- id: sql-injection-format-string
pattern: cursor.execute("... %s ..." % $VAR)
message: SQL injection via string formatting
severity: ERROR
languages: [python]
metadata:
...Align the tool description with what the code actually does. If the description says one thing but the code does another, update the description to be accurate or fix the code.
Likely FP if the NLP analyzer misinterpreted technical jargon or the description accurately describes behavior through domain-specific terminology.
Detects Python subprocess and os.system calls for command execution in skill descriptions
os.system(Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.
Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.
Detects subprocess calls with shell=True which enables shell injection
shell=TrueReplace shell=True with shell=False and pass command arguments as a list. Validate and sanitize all inputs before passing to the shell.
Likely FP if the match is in documentation describing how subprocess works, or in a comment explaining shell risks rather than actual code.
Detects pip install of arbitrary packages that modify the host environment
pip install baPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects pip install of arbitrary packages that modify the host environment
pip install sePin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects Python subprocess and os.system calls for command execution in skill descriptions
os.system(Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.
Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.
Detects Python subprocess and os.system calls for command execution in skill descriptions
subprocess.call(Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.
Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.
Detects subprocess calls with shell=True which enables shell injection
subprocess.call($CMD, shell=TrueReplace shell=True with shell=False and pass command arguments as a list. Validate and sanitize all inputs before passing to the shell.
Likely FP if the match is in documentation describing how subprocess works, or in a comment explaining shell risks rather than actual code.
Detects subprocess calls with shell=True which enables shell injection
shell=TrueReplace shell=True with shell=False and pass command arguments as a list. Validate and sanitize all inputs before passing to the shell.
Likely FP if the match is in documentation describing how subprocess works, or in a comment explaining shell risks rather than actual code.
Detects Python subprocess and os.system calls for command execution in skill descriptions
subprocess.run(Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.
Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.
Detects Python subprocess and os.system calls for command execution in skill descriptions
subprocess.run(Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.
Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.
Detects pip install of arbitrary packages that modify the host environment
pip install baPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects global installation of packages which affects the host system
npm install -g eReplace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.
Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.
Detects pip install of arbitrary packages that modify the host environment
pip install baPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.