perl-security
https://raw.githubusercontent.com/affaan-m/ECC/main/docs/ja-JP/skills/perl-security/SKILL.md
github.com/affaan-m/ECC
Scanned Thu, 28 May 2026 17:00:36 GMT
Scan ID crawl-oytua8b6nqkdvcwj1439cva8 · 9ms
C
SCORE 55 / 100
Verdict: Proceed with caution

4 high-severity findings.

This skill runs unsafe shell commands plus 4 other issues listed below.

0 critical4 high1 medium7 rules passed

Why grade C?

score · 55 / 100

The current grade reflects 4 high-severity findings (3+ HIGHs → C).

0 CRIT4 HIGH1 MED0 LOW
To reach a higher grade
  • B
    Reach Btarget score 75

    Resolve 2 of 4 HIGH (cap is 2).

  • A
    Reach Atarget score 95

    Resolve all 4 HIGH.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

high
Dangerous shell pattern: rm -rf /
The skill contains a shell command pattern (`rm -rf /`) commonly used in destructive or supply-chain attacks.
rule: dangerous-shellline: 178CWE-78
176# Bad: ユーザーデータを使った2引数open(コマンドインジェクション)
177sub bad_read($path) {
178 open my $fh, $path; # $pathが"|rm -rf /"なら、コマンドを実行!rm -rf / — common in destructive or supply-chain attacks
179 open my $fh, "< $path"; # シェルメタキャラクターインジェクション
180}
high
Dangerous shell pattern: rm -rf /
The skill contains a shell command pattern (`rm -rf /`) commonly used in destructive or supply-chain attacks.
rule: dangerous-shellline: 239CWE-78
237# Bad: 文字列形式 — シェルインジェクション!
238sub bad_search($pattern) {
239 system("grep -r '$pattern' /var/log/app/"); # $patternが"'; rm -rf / #"ならrm -rf / — common in destructive or supply-chain attacks
240}
241
high
Shell-injection vector: system/eval call with embedded variable
The skill constructs a shell command by interpolating into a string passed to an exec-family function (`system/eval call with embedded variable`). If the interpolated value comes from agent context or user input, this is direct command injection. Use parameterized APIs (`spawn` with an arg-array, `subprocess.run([...])` without `shell=True`).
rule: shell-injection-templateline: 481CWE-78
479
480# 2. 文字列形式のsystem(シェルインジェクション)
481system("convert $user_file output.png"); # CRITICAL脆弱性system/eval call with embedded variable — use a parameterized API instead
482
483# 3. SQL文字列補間
high
Shell-injection vector: system/eval call with embedded variable
The skill constructs a shell command by interpolating into a string passed to an exec-family function (`system/eval call with embedded variable`). If the interpolated value comes from agent context or user input, this is direct command injection. Use parameterized APIs (`spawn` with an arg-array, `subprocess.run([...])` without `shell=True`).
rule: shell-injection-templateline: 491CWE-78
489# 5. サニタイズせずに$ENVを信頼する
490my $path = $ENV{UPLOAD_DIR}; # 操作される可能性がある
491system("ls $path"); # 二重脆弱性system/eval call with embedded variable — use a parameterized API instead
492
493# 6. バリデーションなしにテイントを無効化
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
Scan another →Share
skillox.io/r/crawl-oytua8b6nqkdvcwj1439cva8