starlark-dev

github.com/kurtosis-tech/kurtosis
Verdict: Proceed with caution
0 critical0 high6 medium
C
SCORE 55 / 100
$skillox install starlark-devSoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.

Why grade C?

score · 55 / 100

The current grade reflects 6 medium findings (6+ MEDs → C).

0 CRIT0 HIGH6 MED0 LOW
To reach a higher grade
  • B
    Reach Btarget score 75

    Resolve 1 of 6 MED (cap is 5).

  • A
    Reach Atarget score 95

    Resolve 4 of 6 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-yn46c7v4qy2ghscugvwz52de · Thu, 28 May 2026 15:18:29 GMT · 3ms

med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 68CWE-78
66Kurtosis Starlark executes in two phases:
67
681. **Planning phase** — Your code runs and builds a plan of actions. `add_service()`, `exec()`, etc. don't execute immediately — they return future references.spawns a subprocess outside declared capabilities
692. **Execution phase** — The plan is executed in order. Future references are resolved to actual values.
70
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 71CWE-78
692. **Execution phase** — The plan is executed in order. Future references are resolved to actual values.
70
71This means you **cannot** use the return value of `plan.exec()` in Python-level logic like `if/else` during the planning phase. Use `plan.verify()` or `plan.assert()` instead.spawns a subprocess outside declared capabilities
72
73```python
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 75CWE-78
73```python
74# WRONG: result is a future reference, not a real value during planning
75result = plan.exec(service_name="my-service", recipe=ExecRecipe(command=["echo", "hello"]))spawns a subprocess outside declared capabilities
76if result["output"] == "hello": # This won't work as expected
77 plan.print("matched")
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 80CWE-78
78
79# RIGHT: use plan.verify for conditional checks
80result = plan.exec(service_name="my-service", recipe=ExecRecipe(command=["echo", "hello"]))spawns a subprocess outside declared capabilities
81plan.verify(result["exit_code"], "==", 0)
82```
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 116CWE-78
114
115```python
116result = plan.exec(spawns a subprocess outside declared capabilities
117 service_name="my-service",
118 recipe=ExecRecipe(command=["cat", "/etc/hostname"]),
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
View latest scan →
skillox.io/c/starlark-dev