https://clawhub.ai/api/v1/skills/xingtu-task-invite-code/file?path=SKILL.md&version=1.0.0
github.com/clawhub.ai/xingtu-task-invite-code
Scanned Thu, 28 May 2026 15:31:27 GMT
Scan ID crawl-g38zpe4h7y44rnc26c8gyfh7 · 2ms
C
SCORE 55 / 100
Verdict: Proceed with caution

9 medium findings.

This skill spawns subprocesses outside its declared capabilities plus 8 other issues listed below.

0 critical0 high9 medium3 rules passed

Why grade C?

score · 55 / 100

The current grade reflects 9 medium findings (6+ MEDs → C).

0 CRIT0 HIGH9 MED0 LOW
To reach a higher grade
  • B
    Reach Btarget score 75

    Resolve 4 of 9 MED (cap is 5).

  • A
    Reach Atarget score 95

    Resolve 7 of 9 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 117CWE-78
115def ag(*args):
116 cmd = [AGENT] + list(args)
117 r = subprocess.run(cmd, capture_output=True, timeout=30)spawns a subprocess outside declared capabilities
118 return r.stdout.decode('utf-8', errors='replace').strip()
119
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 122CWE-78
120def ev(js):
121 js1 = ' '.join(js.split()) # collapse whitespace
122 r = subprocess.run([AGENT, 'eval', js1], capture_output=True, timeout=15)spawns a subprocess outside declared capabilities
123 return r.stdout.decode('utf-8', errors='replace').strip()
124
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 305CWE-78
303### Architecture Decision: Python subprocess over PowerShell
304
305**⚠️ Critical**: Use Python `subprocess.run()` with array arguments for all agent-browser interactions in this phase. Do NOT use PowerShell for agent-browser calls because:spawns a subprocess outside declared capabilities
3061. PowerShell truncates/splits JS `eval` arguments containing special characters (parentheses, quotes, arrows)
3072. PowerShell Job-based background tasks get lost when the session ends
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 308CWE-78
3061. PowerShell truncates/splits JS `eval` arguments containing special characters (parentheses, quotes, arrows)
3072. PowerShell Job-based background tasks get lost when the session ends
3083. Python's `subprocess.run()` with array mode preserves arguments intactspawns a subprocess outside declared capabilities
309
310```python
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 324CWE-78
322 """Run agent-browser command and return stdout"""
323 cmd = [AGENT] + (args if isinstance(args, list) else args.split())
324 return subprocess.run(cmd, capture_output=True, timeout=timeout).stdout.decode('utf-8', errors='replace')spawns a subprocess outside declared capabilities
325
326def e(js, timeout=20):
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 329CWE-78
327 """Evaluate JavaScript in browser, return result string"""
328 js1 = ' '.join(js.split()) # collapse whitespace, critical for arg passing
329 r = subprocess.run([AGENT, 'eval', js1], capture_output=True, timeout=timeout)spawns a subprocess outside declared capabilities
330 out = r.stdout.decode('utf-8', errors='replace').strip()
331 if out.startswith('"') and out.endswith('"'):
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 691CWE-78
689```
690
691**解决方案**: 使用 Python `subprocess.run()` + 数组参数模式。数组模式不会经过 shell 解析,参数完整传递。spawns a subprocess outside declared capabilities
692
693```python
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 695CWE-78
693```python
694# ✅ GOOD
695subprocess.run([AGENT, 'eval', js_code], capture_output=True)spawns a subprocess outside declared capabilities
696```
697
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
Scan another →Share
skillox.io/r/crawl-g38zpe4h7y44rnc26c8gyfh7