github-code-review@ 1.0.0
https://raw.githubusercontent.com/ruvnet/ruflo/main/.agents/skills/github-code-review/SKILL.md
github.com/ruvnet/ruflo
Scanned Thu, 28 May 2026 17:34:15 GMT
Scan ID crawl-fj07vbtogq14q3rj6nlimzdg · 6ms
B
SCORE 75 / 100
Verdict: Safe to install

2 high-severity findings.

This skill triggers the shell-injection-template rule plus 4 other issues listed below.

0 critical2 high3 medium7 rules passed

Why grade B?

score · 75 / 100

The current grade reflects 2 high-severity findings (any HIGH → B).

0 CRIT2 HIGH3 MED0 LOW
To reach a higher grade
  • A
    Reach Atarget score 95

    Resolve all 2 HIGH + 1 of 3 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

high
Shell-injection vector: child_process exec/spawn with template literal
The skill constructs a shell command by interpolating into a string passed to an exec-family function (`child_process exec/spawn with template literal`). If the interpolated value comes from agent context or user input, this is direct command injection. Use parameterized APIs (`spawn` with an arg-array, `subprocess.run([...])` without `shell=True`).
rule: shell-injection-templateline: 402CWE-78
400
401 if (event.action === 'opened' && event.pull_request) {
402 execSync(`npx ruv-swarm github pr-init ${event.pull_request.number}`);child_process exec/spawn with template literal — use a parameterized API instead
403 }
404
high
Shell-injection vector: child_process exec/spawn with template literal
The skill constructs a shell command by interpolating into a string passed to an exec-family function (`child_process exec/spawn with template literal`). If the interpolated value comes from agent context or user input, this is direct command injection. Use parameterized APIs (`spawn` with an arg-array, `subprocess.run([...])` without `shell=True`).
rule: shell-injection-templateline: 407CWE-78
405 if (event.comment && event.comment.body.startsWith('$swarm')) {
406 const command = event.comment.body;
407 execSync(`npx ruv-swarm github handle-comment --pr ${event.issue.number} --command "${command}"`);child_process exec/spawn with template literal — use a parameterized API instead
408 }
409
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 395CWE-78
393// webhook-handler.js
394const { createServer } = require('http');
395const { execSync } = require('child_process');spawns a subprocess outside declared capabilities
396
397createServer((req, res) => {
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 402CWE-78
400
401 if (event.action === 'opened' && event.pull_request) {
402 execSync(`npx ruv-swarm github pr-init ${event.pull_request.number}`);spawns a subprocess outside declared capabilities
403 }
404
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 407CWE-78
405 if (event.comment && event.comment.body.startsWith('$swarm')) {
406 const command = event.comment.body;
407 execSync(`npx ruv-swarm github handle-comment --pr ${event.issue.number} --command "${command}"`);spawns a subprocess outside declared capabilities
408 }
409
Scan another →Share
skillox.io/r/crawl-fj07vbtogq14q3rj6nlimzdg