Skills
skills/devbyray/agent-skill-security-scan/security-scan/Gen Agent Trust Hub

security-scan

Warn

Audited by Gen Agent Trust Hub on May 6, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/scan.mjs heavily relies on execSync to run shell utilities like find, grep, and cat to perform its scanning logic.
  • [REMOTE_CODE_EXECUTION]: Multiple functions in scripts/scan.mjs are vulnerable to command injection because they interpolate data from the codebase being scanned directly into shell command strings without sanitization.
  • In the scanSecrets function, the script executes cat "${f}" where f is a filename returned by find. A file with a name like $(touch pwned).js would trigger arbitrary command execution.
  • In the scanNpmAudit function, the script uses cd "${absDir}", which is vulnerable if the directory path contains shell metacharacters.
  • In the scanDependencies function, the script runs npm view "${name}@${version}" using package names and versions parsed directly from a package.json file, allowing for injection via malicious package metadata.
  • [SAFE]: The skill recommends and integrates with well-known security tools such as Semgrep, Trivy, and Gitleaks.
  • [SAFE]: The use of official package registries via npm audit and npm view for dependency analysis is consistent with the skill's intended security purpose.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 6, 2026, 08:43 PM