1 high-severity finding.

This skill reads protected filesystem locations plus 1 other issue listed below.

0 critical1 high1 medium10 rules passed

Why grade B?

score · 75 / 100

The current grade reflects 1 high-severity finding (any HIGH → B).

0 CRIT1 HIGH1 MED0 LOW

To reach a higher grade

A
Reach Atarget score 95
Resolve all 1 HIGH.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 269CWE-552

▾

267- **Safe Temp Files**: `tmpfile=$(mktemp) || exit 1; trap 'rm -f "$tmpfile"' EXIT INT TERM`

268- **Simulating Arrays**: `set -- item1 item2 item3; for arg; do process "$arg"; done`

269- **Field Parsing**: `IFS=:; while read -r user pass uid gid; do ...; done < /etc/passwd`← sensitive path — credential-exfiltration vector

270- **String Replacement**: `echo "$str" | sed 's/old/new/g'` or use parameter expansion `${str%suffix}`

271- **Default Values**: `value=${var:-default}` assigns default if var unset or null

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

Scan another →Share

skillox.io/r/crawl-nzz0wjgnw3vur5jyos5aaq7c