Security policy

How we scan, what we miss, how to report.

2985 Skills scanned
10 Threat classes
8307 Cumulative findings
0% Below community grade

Of the current index: 651 verified, 2334 community, 0 unverified, 0 flagged. Formula below.

What the static audit catches

Gitleaks with entropy 3.8 catches AWS / Tencent / Aliyun / OpenAI keys, JWTs, and DSN-style password URLs. The skill-side audit additionally flags curl-pipe-bash installers, recursive deletes, and unbounded tool grants.

Class Severity What it is How we catch it
Secret leakage high AWS / Tencent / Aliyun / OpenAI / Anthropic keys and JWTs surfacing in SKILL.md or repo files 7 custom gitleaks rules + Shannon entropy threshold 3.8
curl-pipe-bash installer high Install command pipes a remote script straight to the shell Regex match on curl/wget … | (ba)?sh patterns
Recursive root delete high Presence of rm -rf / or equivalent full-tree deletes Lexical scan for rm -rf /, find / -delete, …
Unbounded tool grants medium allowed-tools missing — implicitly grants every agent capability Parse frontmatter and require allowed-tools
No license declared low Blocks redistribution and downstream commercial use license missing in frontmatter or LICENSE file absent
No version declared low Hard to track changes; subscribers can't tell when to upgrade version missing or not semver in frontmatter
description too long low Eats into the agent's startup discovery budget; lowers trigger rate > 140 chars demoted automatically
High-entropy literal medium Suspected secret/token literal embedded in SKILL.md gitleaks entropy 3.8 + length > 20 chars
Prompt injection medium SKILL.md contains jailbreak strings like "ignore previous", "you are now …" Keyword list + ALL-CAPS / punctuation heuristics
Data exfiltration high Scripts POST repo contents, env vars or clipboard to an external URL Static detection of fetch/curl writes to non-allowlisted hosts

Trust score formula

基础分 70
+ 6   声明 license
+ 4   声明 version (semver)
+ 6   allowed-tools 范围明确
+ 5   不使用 curl … | bash
+ 5   不使用 rm -rf /
+ 4   全树 gitleaks 0 命中

≥ 90 → 已审计  ·  ≥ 75 → 社区
≥ 50 → 未审计  ·  其它 → 风险

What it does not catch

Behavioural risk. Static scans cannot tell whether a skill exfiltrates data at runtime, prompts the agent into a jailbreak, or chains to an unsafe tool. Treat every install as you would a new dependency.

  • Runtime behaviour: what scripts actually do once invoked is invisible to static scans.
  • Chained risk: one skill may call another or an MCP server; transitive trust isn't tracked yet.
  • Social engineering: docile descriptions hiding instructions in the body — needs LLM review, not regex.
  • Supply chain: if a maintainer is compromised, we catch it on next crawl, not in real time.

Reporting a vulnerability

Email security@fluxly.cc with reproduction steps. We acknowledge within 48 hours and aim to ship a fix or a public advisory within 14 days.