Scans a skill directory for security issues, misconfigurations, and best practices.
| Category | Examples | Severity |
|---|---|---|
| ---------- | --------- | ---------- |
| Dangerous calls (critical) | os.system, eval, exec | 🔴 Critical |
| Dangerous calls (warning) | subprocess.run, os.popen | 🟡 Warning |
| Hardcoded secrets | API keys, tokens, passwords, credentials in string literals | 🔴 Critical |
| Network calls | requests.get, urllib.request.urlopen, http.client | 🟡 Warning |
| Obfuscation | getattr indirection, __import__/importlib dynamic loading, chr()-encoded strings | 🔴 Critical |
| Hidden files | Files and directories starting with . (e.g. .env, .hidden_script.py) | 🟡 Warning |
The scanner uses a three-tier severity system:
| Status | Meaning |
|---|---|
| -------- | --------- |
| 🔴 CRITICAL | Immediate security risk — hardcoded secrets, eval/exec, os.system, obfuscation detected. Requires urgent review. |
| 🟡 WARNING | Potential risk — subprocess usage, network calls, hidden files. Review recommended. |
| 🟢 OK | No findings. File is clean. |
Each file gets an individual severity rating. The overall status is the highest severity across all files — if even one file is red, the entire scan is marked CRITICAL.
The scanner catches three common bypass techniques:
getattr indirection — getattr(os, 'system')('whoami') is flagged because the second argument resolves to a known dangerous attribute name.__import__('subprocess') and importlib.import_module('subprocess') are both detected and flagged as dangerous module loads.key = "sk-" + "abcd...") or chr() sequences are resolved at scan time and matched against secret patterns.The scan_skill tool accepts a path argument pointing to a skill directory. It runs scanner.py against all .py files in that directory tree and returns a Markdown report with tables of findings grouped by file and category.
共 1 个版本