DatabaseVerificado

High risk

security-pen-testing

Critical signals were detected and installation should be handled carefully.

0/100

5critical1high2medium

Recomendacoes

🚨 Pontuação 0/100 — Esta skill é extremamente perigosa. Não instalar.

Riscos Detectados8

Data Exfiltrationcritical

data_exfiltration

Data exfiltration attempt

Line 201

Snippets

L201

    "evidence": "Request: POST /api/login {\"email\": \"' OR 1=1--\", \"password\": \"x\"}\nResponse: 200 OK with admin session token",

L2540

            "evidence": "Request: POST /api/login {\"email\": \"' OR 1=1--\", \"password\": \"x\"}\nResponse: 200 OK with admin session token",

L201

    "evidence": "Request: POST /api/login {\"email\": \"' OR 1=1--\", \"password\": \"x\"}\nResponse: 200 OK with admin session token",

Exec Callcritical

exec_call

System command execution

Line 1120

Snippets

L11206. Never pass user input to eval(), exec(), os.system(), or child_process

L2791

                "recommendation": "Never use eval() or exec() with untrusted input. Use ast.literal_eval() for data parsing.",

Eval Callcritical

eval_call

Use of eval()

Line 405

Snippets

L405eval()

L11206. Never pass user input to eval(), exec(), os.system(), or child_process

L2791

                "recommendation": "Never use eval() or exec() with untrusted input. Use ast.literal_eval() for data parsing.",

Python Picklecritical

python_pickle

Unsafe deserialization (Python pickle)

Line 1291

Snippets

L12912. Avoid `pickle.loads()` on untrusted data

L3034 "Review code for pickle.load(), yaml.load(), Java ObjectInputStream.",

Python Subprocesscritical

python_subprocess

System command execution (Python)

Line 1120

Snippets

L11206. Never pass user input to eval(), exec(), os.system(), or child_process

Sensitive Fileshigh

sensitive_files

Sensitive system file access

Line 162

Snippets

L162| **Path Traversal** | `../../../etc/passwd`, URL encoding, double encoding bypasses |

Fs Readmedium

fs_read

Filesystem read access

Line 2835

Snippets

L2835

                "pattern": r'''(?:open|readFile|readFileSync|Path\.join)\s*\(.*(?:request\.|req\.|params|args|input|user)''',

L2835

                "pattern": r'''(?:open|readFile|readFileSync|Path\.join)\s*\(.*(?:request\.|req\.|params|args|input|user)''',

Network Callmedium

network_call

Outbound network call

Line 248

Snippets

L248curl -sI https://target.com | grep -iE "(strict-transport|content-security|x-frame|x-content-type)"

L621If the server fetches keys from a JWKS URL in the JWT header:

L1341

SSRF occurs when a web application fetches a remote resource without validating the user-supplied URL, allowing attackers to reach internal services, cloud metadata endpoints, or other protected resources.

L13755. Disable unnecessary URL-fetching features

L1784 {"ecosystem": "npm", "package": "axios", "below": "1.6.0",

Voir les risques detectes

Connectez-vous pour consulter l'analyse detaillee des risques.

$npx agentfend install cmn92rtln00ynu1ip9vqbxzhw

Trust Score

20trust

⭐ 7,4 mil🍴 881

Updated há 2 semanas

Analisado

31 de mar. de 2026, 15:57

+ 2 previous scans

Compatível com

Cursor

Skill details

Trust score

20/100

GitHub

Connected

Stars

7,4 mil

Forks

881

Updated há 2 semanas

Analisado 31 de mar. de 2026, 15:57

Descricao

"Use when the user asks to perform security audits, penetration testing, vulnerability scanning, OWASP Top 10 checks, or offensive security assessments. Covers static analysis, dependency scanning, secret detection, API security testing, and pen test report generation."

Ver fonte

Scans recentes

31 de mar. de 2026, 15:57

Latest analysis

31 de mar. de 2026, 15:12

Run 2

27 de mar. de 2026, 15:47

Run 1