From agentic-security
Refuse runtime code-eval on user input. Activate before writing eval(), Function(), or string→exec patterns.
How this skill is triggered — by the user, by Claude, or both
Slash command
/agentic-security:security-eval-warnThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Activates **before** you write code that converts a string to executable
Activates before you write code that converts a string to executable code at runtime, when that string can come from any input source (HTTP body, query, header, file, third-party API, message queue).
You're about to call Edit / Write with a body that contains any of:
eval(x), new Function(x), setTimeout(stringArg, …),
setInterval(stringArg, …), vm.runInNewContext(x), vm.compileFunction(x),
vm.Script(x).runInThisContext().eval(x), exec(x), compile(x, …), __import__(x),
getattr(obj, user_string), globals()[user_string].eval(x), class_eval(x), instance_eval(x), send(x, …),
public_send(x, …).eval($x), assert($x), create_function($x, $y),
call_user_func($x, …).exec(userString), execSync(userString),
child_process.exec(userString) — the user-controlled-shell variant
is covered by security-weak-crypto separately; this skill covers
the literal code-eval families.Mustache.render(x, { __proto__: … }),
Handlebars.compile(userInput) (template injection).Stop. Refuse the edit. Propose the structured alternative.
Name the vuln class. "CWE-94 / Code Injection. Anything that
reaches eval() at runtime is the same as letting the input source
write your code directly."
Diagnose what the user actually wants:
JSON.parse(x) / json.loads(x).dict/object lookup table with
an explicit allow-list of keys; throw on unknown.mathjs.evaluate in a worker, simpleeval
in Python, jsep for AST-only). Or refuse — formulae from
untrusted users is the same shape as eval.import + a switch statement.
Never import(userString).json, not pickle).Show the literal replacement as a 3-line code block.
If the user insists eval is necessary (a documented LISP/Lua-style
feature, a build-time scripting hook), confirm the input source is
trusted (developer-only file in the repo) AND the input goes through
a separate validator BEFORE eval. Document the assumption in a
// agentic-security-ignore: code-injection pragma with a one-line
reason.
/setup --bodyguard — make this skill mandatory on every Edit/scan --uncommitted — scan just-edited files for code-eval shapes/triage --explain CWE-94 — full explanation of code-injection familyGuides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Enforces test-driven development: write failing test first, then minimal code to pass. Use when implementing features or bugfixes.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
npx claudepluginhub securityphoenix/agentic-security --plugin agentic-security