perl-security

github.com/affaan-m/ECC
Verdict: Proceed with caution
0 critical4 high1 medium
C
SCORE 55 / 100
$skillox install perl-securitySoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.

Why grade C?

score · 55 / 100

The current grade reflects 4 high-severity findings (3+ HIGHs → C).

0 CRIT4 HIGH1 MED0 LOW
To reach a higher grade
  • B
    Reach Btarget score 75

    Resolve 2 of 4 HIGH (cap is 2).

  • A
    Reach Atarget score 95

    Resolve all 4 HIGH.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-oytua8b6nqkdvcwj1439cva8 · Thu, 28 May 2026 17:00:36 GMT · 9ms

high
Dangerous shell pattern: rm -rf /
The skill contains a shell command pattern (`rm -rf /`) commonly used in destructive or supply-chain attacks.
rule: dangerous-shellline: 178CWE-78
176# Bad: ユーザーデータを使った2引数open(コマンドインジェクション)
177sub bad_read($path) {
178 open my $fh, $path; # $pathが"|rm -rf /"なら、コマンドを実行!rm -rf / — common in destructive or supply-chain attacks
179 open my $fh, "< $path"; # シェルメタキャラクターインジェクション
180}
high
Dangerous shell pattern: rm -rf /
The skill contains a shell command pattern (`rm -rf /`) commonly used in destructive or supply-chain attacks.
rule: dangerous-shellline: 239CWE-78
237# Bad: 文字列形式 — シェルインジェクション!
238sub bad_search($pattern) {
239 system("grep -r '$pattern' /var/log/app/"); # $patternが"'; rm -rf / #"ならrm -rf / — common in destructive or supply-chain attacks
240}
241
high
Shell-injection vector: system/eval call with embedded variable
The skill constructs a shell command by interpolating into a string passed to an exec-family function (`system/eval call with embedded variable`). If the interpolated value comes from agent context or user input, this is direct command injection. Use parameterized APIs (`spawn` with an arg-array, `subprocess.run([...])` without `shell=True`).
rule: shell-injection-templateline: 481CWE-78
479
480# 2. 文字列形式のsystem(シェルインジェクション)
481system("convert $user_file output.png"); # CRITICAL脆弱性system/eval call with embedded variable — use a parameterized API instead
482
483# 3. SQL文字列補間
high
Shell-injection vector: system/eval call with embedded variable
The skill constructs a shell command by interpolating into a string passed to an exec-family function (`system/eval call with embedded variable`). If the interpolated value comes from agent context or user input, this is direct command injection. Use parameterized APIs (`spawn` with an arg-array, `subprocess.run([...])` without `shell=True`).
rule: shell-injection-templateline: 491CWE-78
489# 5. サニタイズせずに$ENVを信頼する
490my $path = $ENV{UPLOAD_DIR}; # 操作される可能性がある
491system("ls $path"); # 二重脆弱性system/eval call with embedded variable — use a parameterized API instead
492
493# 6. バリデーションなしにテイントを無効化
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
View latest scan →
skillox.io/c/perl-security