中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
code-runner
Run code snippets in 30+ programming languages including JavaScript, Python, TypeScript, Java, C, C++, Go, Rust, Ruby, PHP, and more.
A legitimate code runner skill that executes user-provided code snippets, with fully documented shell execution and no hidden malicious behavior.
Skill Namecode-runner
Duration34.6s
Enginepi
Safe to install
Accept for use with standard sandboxing precautions. The skill's core functionality of executing code is declared and expected. Users should avoid running untrusted code in production environments.

Findings 2 items

Severity Finding Location
Low
Undeclared filesystem write access Priv Escalation
The skill writes user-provided code to temporary files in os.tmpdir() without declaring filesystem:WRITE permission in SKILL.md. While necessary for code execution, this capability is not explicitly documented.
fs.writeFileSync(filePath, code, 'utf8')
→ Add filesystem:WRITE to declared capabilities or clarify in documentation that temp file writes are used for execution.
 scripts/run-code.cjs:122
Info
Arbitrary code execution is core functionality RCE
The skill's purpose is to execute arbitrary code provided by users. This is declared and documented in SKILL.md with appropriate security warnings. Bash/shell support enables full shell command execution.
shellscript: { executor: 'bash', ext: 'sh' }
→ This is expected behavior for a code runner. Ensure sandboxing is used when running untrusted code.
 scripts/run-code.cjs:64
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md line 1: 'Run code snippets', exec/spawn in scripts/run-code.cjs line 11
Filesystem NONE WRITE ✓ Aligned Writes to os.tmpdir() for code execution (line 122-125)
Network NONE NONE No network calls in run-code.cjs
Environment NONE NONE No access to env vars for secrets
24 findings
🔗
Medium External URL 外部 URL
https://nodejs.org/
references/LANGUAGES.md:10
🔗
Medium External URL 外部 URL
https://python.org/
references/LANGUAGES.md:22
🔗
Medium External URL 外部 URL
https://ruby-lang.org/
references/LANGUAGES.md:29
🔗
Medium External URL 外部 URL
https://php.net/
references/LANGUAGES.md:35
🔗
Medium External URL 外部 URL
https://lua.org/
references/LANGUAGES.md:47
🔗
Medium External URL 外部 URL
https://r-project.org/
references/LANGUAGES.md:53
🔗
Medium External URL 外部 URL
https://julialang.org/
references/LANGUAGES.md:59
🔗
Medium External URL 外部 URL
https://adoptium.net/
references/LANGUAGES.md:70
🔗
Medium External URL 外部 URL
https://kotlinlang.org/
references/LANGUAGES.md:84
🔗
Medium External URL 外部 URL
https://scala-lang.org/
references/LANGUAGES.md:90
🔗
Medium External URL 外部 URL
https://groovy-lang.org/
references/LANGUAGES.md:96
🔗
Medium External URL 外部 URL
https://clojure.org/
references/LANGUAGES.md:102
🔗
Medium External URL 外部 URL
https://rust-lang.org/
references/LANGUAGES.md:149
🔗
Medium External URL 外部 URL
https://swift.org/
references/LANGUAGES.md:160
🔗
Medium External URL 外部 URL
https://dart.dev/
references/LANGUAGES.md:166
🔗
Medium External URL 外部 URL
https://crystal-lang.org/
references/LANGUAGES.md:172
🔗
Medium External URL 外部 URL
https://nim-lang.org/
references/LANGUAGES.md:178
🔗
Medium External URL 外部 URL
https://haskell.org/ghc/
references/LANGUAGES.md:188
🔗
Medium External URL 外部 URL
https://dot.net/
references/LANGUAGES.md:194
🔗
Medium External URL 外部 URL
https://ocaml.org/
references/LANGUAGES.md:200
🔗
Medium External URL 外部 URL
https://elixir-lang.org/
references/LANGUAGES.md:206
🔗
Medium External URL 外部 URL
https://racket-lang.org/
references/LANGUAGES.md:212
🔗
Medium External URL 外部 URL
http://sbcl.org/
references/LANGUAGES.md:224
🔗
Medium External URL 外部 URL
https://autohotkey.com/
references/LANGUAGES.md:285

File Tree

3 files · 24.3 KB · 856 lines
Markdown 2f · 495L JavaScript 1f · 361L
├─ 📁 references
│ └─ 📝 LANGUAGES.md Markdown 306L · 7.2 KB
├─ 📁 scripts
│ └─ 📜 run-code.cjs JavaScript 361L · 11.6 KB
└─ 📝 SKILL.md Markdown 189L · 5.5 KB

Security Positives

✓ SKILL.md clearly documents the shell execution mechanism (node run-code.cjs)
✓ Security considerations section warns about dangerous operations
✓ No credential harvesting or environment variable access for secrets
✓ No network requests to external servers
✓ No obfuscation, base64 encoding, or hidden instructions
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Timeout protection (30 seconds default) prevents infinite loops
✓ Clean temporary file cleanup after execution