agent-skill-creator/scenarios/SC-021-security-scan-shell-injection.scenario.md
francylisboacharuto bac2b27bb8 feat: v4.0 Cross-Platform Modernization — Agent Skills Open Standard compliance
BREAKING CHANGES:
- Remove -cskill suffix from all skill names (use standard kebab-case)
- Simplify marketplace.json to only official fields (fixes Issue #5)
- SKILL.md body must be <500 lines (progressive disclosure via references/)

New features:
- Cross-platform support for 8+ platforms (Claude Code, Copilot, Cursor, Windsurf, Cline, Codex CLI, Gemini CLI)
- scripts/install-template.sh: Auto-detect platform installer with --dry-run
- scripts/validate.py: Spec compliance checker for generated skills
- scripts/security_scan.py: Security scanner for hardcoded keys and dangerous patterns
- MIGRATION.md: v3.x to v4.0 migration guide
- 6 new reference files for progressive disclosure from lean SKILL.md

Key changes:
- SKILL.md: 4,116 → 272 lines with spec-compliant YAML frontmatter
- marketplace.json: Stripped to {name, plugins} only
- article-to-prototype-cskill/ → article-to-prototype/
- stock-analyzer-cskill/ → stock-analyzer/
- Export system integrates validation + security scanning
- README.md rewritten for all supported platforms
- Phase 5 pipeline outputs SKILL.md-first, spec-compliant skills

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 14:52:09 -03:00

1 KiB

SC-021: Security Scan Detects Shell Injection Patterns

Covers: FR-014 — Security scan SHOULD check for shell injection patterns in generated scripts Type: Happy Path

Given

  • A generated skill directory unsafe-skill/ contains scripts/runner.py with:
    import subprocess
    user_input = input("Enter filename: ")
    subprocess.call(f"cat {user_input}", shell=True)
    

When

  • The security scan is run on unsafe-skill/

Then

  • The security scan identifies a shell injection risk
  • The security list contains a finding about subprocess.call with shell=True and unsanitized input

Verification Method

Method: Automated test

Steps:

  1. Create unsafe-skill/scripts/runner.py with subprocess.call(..., shell=True) using f-string interpolation
  2. Run the security scan
  3. Assert security findings reference shell injection or shell=True

Expected evidence: Security finding like "Potential shell injection in scripts/runner.py: subprocess.call with shell=True and string interpolation".