grepai-search-advanced

skills-sh:yoanbernabeu_grepai-skills__grepai-search-advanced

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

92/100

MEDIUM 1

LOW 2

Findings (3)

MEDIUM

Node.js child process execution CMDEXEC_004

command-execution L230

Detects Node.js child_process methods for command execution

execSync('

FIX

Use execFile() or spawn() with explicit argument arrays instead of exec() with a shell string. Validate all inputs before passing to child_process methods.

FP?

Likely FP if the match is in a README code example or package.json script field that runs a well-known CLI tool (e.g., eslint, tsc).

LOW

Python subprocess execution CMDEXEC_003

command-execution L214

Detects Python subprocess and os.system calls for command execution in skill descriptions

subprocess.run(

FIX

Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.

FP?

Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.

LOW

Clipboard access with network EXFIL_006

exfiltration L307

Detects clipboard access combined with network operations

pbcopy + nc

FIX

Restrict DNS queries to legitimate resolution. Block the construction of DNS names that encode arbitrary data (DNS tunneling). Monitor for unusually long or high-entropy subdomains.

FP?

Likely FP if the match is a documentation reference to DNS lookup functionality for legitimate hostname resolution.