web-reader

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This Skill README and example code are coherent with the stated purpose: they instruct how to extract page content using an external SDK and provide reasonable best-practices (rate-limiting, caching, backend-only usage). There is no direct evidence of malicious code in the provided fragment. The primary supply-chain risk is the external dependency z-ai-web-dev-sdk (a black box here): developers should verify the SDK’s provenance and be careful to store its credentials correctly and sanitize returned HTML before exposing it to end users. Overall the fragment appears benign but relies on a third-party SDK which should be audited before production use. LLM verification: No direct signs of malware or intentionally malicious code are present in the provided skill documentation and examples. The primary security risk is operational: accepting arbitrary URLs and using an SDK to fetch them can enable SSRF, internal resource discovery, or disclosure of sensitive content via logs/files if run on infrastructure with internal network access. Additional trust/ supply-chain concerns arise from lack of detail about the SDK's network behavior (direct fetch vs proxying). Rec