just-bash-executor

github.com/vercel-labs/just-bash
Verdict: Proceed with caution
0 critical0 high7 medium
C
SCORE 55 / 100
$skillox install just-bash-executorSoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.

Why grade C?

score · 55 / 100

The current grade reflects 7 medium findings (6+ MEDs → C).

0 CRIT0 HIGH7 MED0 LOW
To reach a higher grade
  • B
    Reach Btarget score 75

    Resolve 2 of 7 MED (cap is 5).

  • A
    Reach Atarget score 95

    Resolve 5 of 7 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-xz0ckhtaa48pfm5d4iysaqak · Thu, 28 May 2026 13:13:39 GMT · 4ms

med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 430CWE-78
428JSON-serialized and parsed back into a JS value.
429
430### Bash CLI (inside `bash.exec(...)` scripts)spawns a subprocess outside declared capabilities
431
432| Want | Write |
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 481CWE-78
479
480// 1. JS API
481const r1 = await bash.exec(`js-exec -c 'spawns a subprocess outside declared capabilities
482 try {
483 const r = await tools.math.add({ a: 2, b: 3 });
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 498CWE-78
496 `echo '{"a":2,"b":3}' | math add`,
497]) {
498 const r = await bash.exec(cmd);spawns a subprocess outside declared capabilities
499 console.log(`${cmd} → ${r.stdout.trim()} (exit=${r.exitCode})`);
500}
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 503CWE-78
501
502// 3. Help text
503process.stdout.write((await bash.exec("math --help")).stdout);spawns a subprocess outside declared capabilities
504```
505
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 512CWE-78
5101. **Exec works.** A simple call returns exit 0 with parseable JSON on stdout:
511 ```ts
512 const r = await bash.exec(`<ns> <subcommand> <args>`);spawns a subprocess outside declared capabilities
513 JSON.parse(r.stdout); // should not throw
514 ```
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 517CWE-78
5152. **Wrong path errors clearly.** `await tools.ns.nope({})` throws with
516 `Unknown tool` in the message — confirms dispatch is wired.
5173. **Help reflects discovery.** `bash.exec("<ns> --help")` lists every toolspawns a subprocess outside declared capabilities
518 the user expected. If a tool's missing, the source registration didn't pick
519 it up (most often: missing `operationId` for OpenAPI; subscription field
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
View latest scan →
skillox.io/c/just-bash-executor