2 medium findings.

This skill spawns subprocesses outside its declared capabilities plus 1 other issue listed below.

0 critical0 high2 medium10 rules passed

Why grade A?

score · 95 / 100

The current grade reflects 2 minor findings below all thresholds.

0 CRIT0 HIGH2 MED0 LOW

Already at the top grade — no further rules to pass.

Findings · ordered by severity

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 73CWE-78

▾

71- 避免拼接用户输入到系统命令中，使用语言原生 API（如 Python 的 `subprocess` 参数列表模式）。

72- 若必须拼接，对输入做严格白名单校验（如 IP 地址仅允许数字和点）。

73- 禁用危险函数（`system()`、`exec()`、`shell_exec()`）。← spawns a subprocess outside declared capabilities

74- 最小权限运行，限制命令执行的系统账户权限。

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

Scan another →Share

skillox.io/r/crawl-iwnmm84rflci63sz908zy1n4