owasp-check

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill is a legitimate OWASP Top 10 scanner whose implemented checks and report generation align with its stated purpose. No direct malicious code, downloads, or remote exfiltration are present. Security concerns are operational: the scanner prints and persists matched lines (including potential secrets) to reports and a shared .claude cache, and it delegates to external tooling without pinning or verification — these behaviors increase the risk of leaking sensitive data in CI/artifacts and enlarge the blast radius across skills. Recommendations: avoid printing full secret matches, redact or avoid storing sensitive content in persistent shared caches, restrict cache permissions and TTL, pin and verify external tooling installs, and document where scan outputs are stored and who can access them. LLM verification: This skill is functionally consistent with its stated purpose (OWASP Top 10 scanning) and contains no obvious backdoors, remote download-execute patterns, or covert exfiltration to attacker-controlled domains. Main risks are operational: the scanner prints matched secret content and persists results/caches under shared directories which could leak sensitive data if reports or caches are stored in source control or CI artifacts. The guidance to install third-party tools is normal but increases su