performing-security-code-review
Execute this skill enables AI assistant to conduct a security-focused code review using the security-agent plugin. it analyzes code for potential vulnerabilities like sql injection, xss, authentication flaws, and insecure dependencies. AI assistant uses this skill wh... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
74
70%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/examples/security-agent/skills/performing-security-code-review/SKILL.mdSecurity
2 findings — 1 critical severity, 1 high severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.
E006: Malicious code pattern detected in skill scripts
What this means
Detected high-risk code patterns in the skill content — including its prompts, tool definitions, and resources — such as data exfiltration, backdoors, remote code execution, credential theft, system compromise, supply chain attacks, and obfuscation techniques.
Why it was flagged
Malicious code pattern detected (high risk: 0.90). The repository includes explicit, intentionally malicious constructs — notably a MaliciousClass that serializes to a payload invoking os.system("rm -rf /") (base64-encoded pickled data) and unsafe deserialization/command-execution patterns (subprocess.run with shell=True) that are ready-to-run, indicating deliberate inclusion of destructive RCE behavior rather than mere accidental insecurity.
W007: Insecure credential handling detected in skill instructions
What this means
The skill handles credentials insecurely by requiring the agent to include secret values verbatim in its generated output. This exposes credentials in the agent’s context and conversation history, creating a risk of data exfiltration.
Why it was flagged
Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to scan for hardcoded secrets and to include per-finding "code snippet" entries in the report (file path, line number, code snippet), which would require exposing secret values verbatim unless redaction is enforced.
- Commit
c8a915c
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.