<< Back to security report
Repositoryzhugez/orbitsmith →
Commitb55a6fe →
VerdictFAIL
Score5
DateMay 20, 2026
| Severity | Rule | Message | File:Line |
|---|---|---|---|
| HIGH | python.lang.security.audit.subprocess-shell-true.subprocess-shell-true | Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead. | zhugez/orbitsmith/pptx-official-9a86916d/kit/.agent/scripts/auto_preview.py:81 → |
| MEDIUM | python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected | Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead. | zhugez/orbitsmith/pptx-official-9a86916d/kit/.agent/skills/last30days/scripts/lib/http.py:75 → |
| MEDIUM | python.lang.security.audit.eval-detected.eval-detected | Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. | zhugez/orbitsmith/pptx-official-9a86916d/kit/.agent/skills/loki-mode/benchmarks/results/2026-01-05-00-49-17/humaneval-solutions/160.py:29 → |
| MEDIUM | python.lang.security.audit.eval-detected.eval-detected | Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. | zhugez/orbitsmith/pptx-official-9a86916d/kit/.agent/skills/loki-mode/benchmarks/results/humaneval-loki-solutions/160.py:34 → |
| HIGH | python.lang.security.use-defused-xml.use-defused-xml | The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. | zhugez/orbitsmith/pptx-official-9a86916d/kit/.agent/skills/mcp-builder/scripts/evaluation.py:13 → |
| HIGH | python.lang.security.audit.dangerous-subprocess-use-tainted-env-args.dangerous-subprocess-use-tainted-env-args | Detected subprocess function 'run' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'. | zhugez/orbitsmith/pptx-official-9a86916d/kit/.agent/skills/notebooklm/scripts/run.py:91 → |
| MEDIUM | python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected | Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead. | zhugez/orbitsmith/pptx-official-9a86916d/kit/.agent/skills/shopify-development/scripts/shopify_graphql.py:101 → |
| HIGH | python.lang.security.audit.subprocess-shell-true.subprocess-shell-true | Found 'subprocess' function 'run' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead. | zhugez/orbitsmith/pptx-official-9a86916d/kit/.agent/skills/typescript-expert/scripts/ts_diagnostic.py:16 → |
| HIGH | python.lang.security.audit.subprocess-shell-true.subprocess-shell-true | Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead. | zhugez/orbitsmith/pptx-official-9a86916d/kit/.agent/skills/webapp-testing/scripts/with_server.py:71 → |