security-scanning-security-sast
github.com/sickn33/antigravity-awesome-skillsVerdict: Proceed with caution
0 critical0 high6 medium
C
SCORE 55 / 100
$skillox install security-scanning-security-sastSoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.
Why grade C?
score · 55 / 100The current grade reflects 6 medium findings (6+ MEDs → C).
0 CRIT0 HIGH6 MED0 LOW
To reach a higher grade
- BReach Btarget score 75
Resolve 1 of 6 MED (cap is 5).
- AReach Atarget score 95
Resolve 4 of 6 MED (cap is 2).
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Latest scan findings
Scan crawl-uxeewxuf76mdpgcazryj6jvd · Thu, 28 May 2026 17:42:52 GMT · 2ms
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
141 patterns:
142 - pattern-either:
143 - pattern: os.system($CMD)← spawns a subprocess outside declared capabilities
144 - pattern: subprocess.call($CMD, shell=True)
145 - metavariable-pattern:
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
142 - pattern-either:
143 - pattern: os.system($CMD)
144 - pattern: subprocess.call($CMD, shell=True)← spawns a subprocess outside declared capabilities
145 - metavariable-pattern:
146 metavariable: $CMD
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
233### Command Injection
234
235**VULNERABLE**: os.system() or subprocess with shell=True and user input← spawns a subprocess outside declared capabilities
236
237**SECURE**:
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
237**SECURE**:
238```python
239subprocess.run(['ping', '-c', '4', user_input]) # Array args← spawns a subprocess outside declared capabilities
240import shlex
241safe_input = shlex.quote(user_input) # Input validation
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
381 for ruleset in ['auto', 'p/security-audit', 'p/owasp-top-ten']:
382 try:
383 result = subprocess.run([← spawns a subprocess outside declared capabilities
384 'semgrep', '--config', ruleset, '--json', '--quiet',
385 str(self.project_path)
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestskillox.io/c/security-scanning-security-sast