background-jobs

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill is a coherent background job processing implementation with expected capabilities: enqueueing, retries/exponential backoff, dead-letter queue, scheduling, and handlers that can perform network actions (email/webhook). I found no signs of obfuscation, hidden backdoors, credential harvesting, or calls to suspicious external domains in the code fragment. Security concerns are primarily implementation and configuration-related: webhookHandler posts to arbitrary URLs without validation (risk of unintended data exfiltration or SSRF if untrusted payloads are accepted), the worker doesn't respect the shutdown flag, DLQ removal logic may fail due to JSON string matching after mutation, the cron parser is overly simplistic and may behave unexpectedly, and there is a likely Redis API mismatch (bzpopmin vs sorted set). These are actionable reliability/security fixes rather than evidence of malicious intent. LLM verification: No clear malicious code was found in the provided skill fragment. The implementation aligns with the documented purpose (background job processing). The main security concerns are operational and misuse risks: unvalidated payloads allow SSRF or exfiltration via webhookHandler, job payloads (possibly containing secrets) are stored in Redis in plaintext, and any registered handler has full execution privileges. The webhook handler is truncated in the snippet, which prevents complete review of its