What the static audit catches
Gitleaks with entropy 3.8 catches AWS / Tencent / Aliyun / OpenAI keys, JWTs, and DSN-style password URLs. The skill-side audit additionally flags curl-pipe-bash installers, recursive deletes, and unbounded tool grants.
| Class | Severity | What it is | How we catch it |
|---|---|---|---|
| Secret leakage | high | AWS / Tencent / Aliyun / OpenAI / Anthropic keys and JWTs surfacing in SKILL.md or repo files | 7 custom gitleaks rules + Shannon entropy threshold 3.8 |
| curl-pipe-bash installer | high | Install command pipes a remote script straight to the shell | Regex match on curl/wget … | (ba)?sh patterns |
| Recursive root delete | high | Presence of rm -rf / or equivalent full-tree deletes | Lexical scan for rm -rf /, find / -delete, … |
| Unbounded tool grants | medium | allowed-tools missing — implicitly grants every agent capability | Parse frontmatter and require allowed-tools |
| No license declared | low | Blocks redistribution and downstream commercial use | license missing in frontmatter or LICENSE file absent |
| No version declared | low | Hard to track changes; subscribers can't tell when to upgrade | version missing or not semver in frontmatter |
| description too long | low | Eats into the agent's startup discovery budget; lowers trigger rate | > 140 chars demoted automatically |
| High-entropy literal | medium | Suspected secret/token literal embedded in SKILL.md | gitleaks entropy 3.8 + length > 20 chars |
| Prompt injection | medium | SKILL.md contains jailbreak strings like "ignore previous", "you are now …" | Keyword list + ALL-CAPS / punctuation heuristics |
| Data exfiltration | high | Scripts POST repo contents, env vars or clipboard to an external URL | Static detection of fetch/curl writes to non-allowlisted hosts |
Trust score formula
基础分 70
+ 6 声明 license
+ 4 声明 version (semver)
+ 6 allowed-tools 范围明确
+ 5 不使用 curl … | bash
+ 5 不使用 rm -rf /
+ 4 全树 gitleaks 0 命中
≥ 90 → 已审计 · ≥ 75 → 社区
≥ 50 → 未审计 · 其它 → 风险 What it does not catch
Behavioural risk. Static scans cannot tell whether a skill exfiltrates data at runtime, prompts the agent into a jailbreak, or chains to an unsafe tool. Treat every install as you would a new dependency.
- Runtime behaviour: what scripts actually do once invoked is invisible to static scans.
- Chained risk: one skill may call another or an MCP server; transitive trust isn't tracked yet.
- Social engineering: docile descriptions hiding instructions in the body — needs LLM review, not regex.
- Supply chain: if a maintainer is compromised, we catch it on next crawl, not in real time.
Reporting a vulnerability
Email security@fluxly.cc with reproduction steps. We acknowledge within 48 hours and aim to ship a fix or a public advisory within 14 days.