starlark-dev
https://raw.githubusercontent.com/kurtosis-tech/kurtosis/18cb11bc548886d94d089962c074e7939f9bc2f1/skills/starlark-dev/SKILL.md
github.com/kurtosis-tech/kurtosis
Scanned Thu, 28 May 2026 15:18:29 GMT
Scan ID crawl-yn46c7v4qy2ghscugvwz52de · 3ms
C
SCORE 55 / 100
Verdict: Proceed with caution

6 medium findings.

This skill spawns subprocesses outside its declared capabilities plus 5 other issues listed below.

0 critical0 high6 medium6 rules passed

Why grade C?

score · 55 / 100

The current grade reflects 6 medium findings (6+ MEDs → C).

0 CRIT0 HIGH6 MED0 LOW
To reach a higher grade
  • B
    Reach Btarget score 75

    Resolve 1 of 6 MED (cap is 5).

  • A
    Reach Atarget score 95

    Resolve 4 of 6 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 68CWE-78
66Kurtosis Starlark executes in two phases:
67
681. **Planning phase** — Your code runs and builds a plan of actions. `add_service()`, `exec()`, etc. don't execute immediately — they return future references.spawns a subprocess outside declared capabilities
692. **Execution phase** — The plan is executed in order. Future references are resolved to actual values.
70
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 71CWE-78
692. **Execution phase** — The plan is executed in order. Future references are resolved to actual values.
70
71This means you **cannot** use the return value of `plan.exec()` in Python-level logic like `if/else` during the planning phase. Use `plan.verify()` or `plan.assert()` instead.spawns a subprocess outside declared capabilities
72
73```python
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 75CWE-78
73```python
74# WRONG: result is a future reference, not a real value during planning
75result = plan.exec(service_name="my-service", recipe=ExecRecipe(command=["echo", "hello"]))spawns a subprocess outside declared capabilities
76if result["output"] == "hello": # This won't work as expected
77 plan.print("matched")
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 80CWE-78
78
79# RIGHT: use plan.verify for conditional checks
80result = plan.exec(service_name="my-service", recipe=ExecRecipe(command=["echo", "hello"]))spawns a subprocess outside declared capabilities
81plan.verify(result["exit_code"], "==", 0)
82```
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 116CWE-78
114
115```python
116result = plan.exec(spawns a subprocess outside declared capabilities
117 service_name="my-service",
118 recipe=ExecRecipe(command=["cat", "/etc/hostname"]),
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
Scan another →Share
skillox.io/r/crawl-yn46c7v4qy2ghscugvwz52de