Skip to content

Add SafeSkill security badge (77/100 — Passes with Notes)#660

Closed
OyaAIProd wants to merge 1 commit intoshivasurya:mainfrom
OyaAIProd:safeskill-scan-1776046000092
Closed

Add SafeSkill security badge (77/100 — Passes with Notes)#660
OyaAIProd wants to merge 1 commit intoshivasurya:mainfrom
OyaAIProd:safeskill-scan-1776046000092

Conversation

@OyaAIProd
Copy link
Copy Markdown

@OyaAIProd OyaAIProd commented Apr 13, 2026

⚠️ SafeSkill Security Scan Results

Metric Value
Overall Score 77/100 (Passes with Notes)
Code Score 85/100
Content Score 59/100
Findings 191 findings detected (14 critical)
Taint Flows 0
Files Scanned 80
Scan Duration 4.2s

Top Findings

  • 🔴 critical: Imports child_process module (extension/secureflow/packages/secureflow-cli/lib/git.js:4)
  • 🔴 critical: Spawns child process (extension/secureflow/packages/secureflow-cli/lib/git.js:15)
  • 🔴 critical: Spawns child process (extension/secureflow/packages/secureflow-cli/scanner/cli-full-scan-command.js:221)
  • 🔴 critical: Spawns child process (extension/secureflow/packages/secureflow-cli/scanner/file-request-handler.js:95)
  • 🔴 critical: Spawns child process (extension/secureflow/packages/secureflow-cli/scanner/file-request-handler.js:114)

View full report on SafeSkill

About SafeSkill

SafeSkill is a free, open-source security scanner for AI tools, MCP servers, and Claude Code skills. We scan for code exploits, prompt injection, and data exfiltration risks.

False positive? We take accuracy seriously. If any finding above is incorrect, please open an issue and we will fix it immediately.

@OyaAIProd
Add SafeSkill security badge (77/100)
5ec6c56 
Signed-off-by: SafeSkill Scanner <mk@oya.ai>
@safedep
Copy link
Copy Markdown

safedep bot commented Apr 13, 2026
edited
Loading

SafeDep Report Summary

Green Malicious Packages Badge Green Vulnerable Packages Badge Green Risky License Badge

No dependency changes detected. Nothing to scan.

View complete scan results →

This report is generated by SafeDep Github App

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 13, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@shivasurya
Copy link
Copy Markdown
Owner

shivasurya commented Apr 13, 2026

Almost all findings are false positive

critical: Imports child_process module (extension/secureflow/packages/secureflow-cli/lib/git.js:4)
🔴 critical: Spawns child process (extension/secureflow/packages/secureflow-cli/lib/git.js:15)
🔴 critical: Spawns child process (extension/secureflow/packages/secureflow-cli/scanner/cli-full-scan-command.js:221)
🔴 critical: Spawns child process (extension/secureflow/packages/secureflow-cli/scanner/file-request-handler.js:95)
🔴 critical: Spawns child process (extension/secureflow/packages/secureflow-cli/scanner/file-request-handler.js:114)

If you find exploitable one, let me know. thanks for the PR btw.

@shivasurya shivasurya closed this Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OyaAIProd @CLAassistant @shivasurya