Stats
Actions
Tags
From find-cve-agent
Detects OS command injection in JavaScript, TypeScript, Python, Go, Ruby, PHP via shell sinks like exec/system/popen. Traces user input, checks sanitization/argument injection for RCE in CLI wrappers.
How this skill is triggered — by the user, by Claude, or both
Slash command
/find-cve-agent:command-injectionThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audit any package that wraps CLI tools, runs build commands, processes files via external programs, or interfaces with git/ffmpeg/imagemagick/pandoc/etc.
Audit any package that wraps CLI tools, runs build commands, processes files via external programs, or interfaces with git/ffmpeg/imagemagick/pandoc/etc.
CVSS is typically CRITICAL 9.8 for confirmed RCE.
; rm -rf /)--upload-pack=malicious);, |, &&, backticks, $()) are interpreted. DANGEROUS.# JavaScript/TypeScript — look for child_process usage
grep -rn "child_process" .
grep -rn "\.exec\('" .
grep -rn "\.execSync\(" .
grep -rn "spawn.*shell.*true" .
grep -rn "shelljs" .
# Python
grep -rn "os\.system\|os\.popen" .
grep -rn "subprocess.*shell.*True" .
grep -rn "commands\.getoutput\|commands\.getstatusoutput" .
# Go
grep -rn 'exec\.Command.*"bash"\|exec\.Command.*"sh"' .
# Ruby
grep -rn "system(\|%x{" . --include="*.rb"
grep -rn "IO\.popen\|Open3" .
# PHP
grep -rn "system(\|passthru(\|shell_exec(\|popen(" .
grep -rn "proc_open\|pcntl_exec" .
For each sink:
grep -rn "escapeshellarg\|escapeshellcmd\|shlex\.quote\|shellescape" .
grep -rn "sanitize\|escape\|clean\|validate" .
Verify sanitization is:
Even with execFile/spawn (no shell), check for:
--flag injection: user input starts with - or ----upload-pack, -c core.fsmonitor, --config--exec, --filter, --diff-filter--) separator missing before user-controlled args// VULNERABLE — shell interprets metacharacters
const cp = require('child_process');
cp.exec(`convert ${inputFile} ${outputFile}`);
// Exploit: inputFile = "; id; #"
cp.exec(`file "${filename}"`);
// Exploit: filename = '$(id).txt' or filename = '"; id; #"'
// Even without shell, git interprets dangerous flags
cp.execFile('git', ['clone', userUrl, '--config', 'core.fsmonitor=id']);
cp.exec(command, { env: { ...process.env, USER_INPUT: untrusted } });
// If command references $USER_INPUT or uses env vars unsafely
cp.execFile('program', ['--option=' + userInput]);
// Exploit: userInput = "value\n--dangerous-flag"
grep -rn "exec\(.*\+" . # String concatenation in exec
grep -rn "exec\(.*\$\{" . # Template literal in exec
grep -rn "exec\(.*%" . # Format string in exec (Python)
grep -rn "execFile\|spawn" .
# Then check if user input is in the args array without -- separator
npx claudepluginhub byamb4/find-cve-agentAnalyzes PHP code for command injection vulnerabilities. Detects unsafe shell_exec, exec, system, passthru, backticks, popen/proc_open with user input and missing escapeshellarg/escapeshellcmd.
Scans Python, PowerShell, Bash, and C# files for CWE-22 path traversal and CWE-78 command injection vulnerabilities before PR submission or as pre-commit gate.
Scans Python, PowerShell, Bash, and C# files for CWE-22 path traversal and CWE-78 command injection vulnerabilities using lightweight pattern matching before PR submission or pre-commit.