https://github.com/K-Dense-AI/scientific-agent-skills ·
lang: markdown ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
SEC013 Path Traversal — User Input in File Path |
high | 4 |
SEC015 Insecure Randomness for Security |
medium | 4 |
SEC012 ZipSlip — Archive Path Traversal |
medium | 4 |
SEC020 Secret Printed to Logs |
high | 4 |
SEC002 Hardcoded API Key |
critical | 1 |
SEC017 Unbounded Input to LLM/External API |
medium | 1 |
SEC016 LLM Prompt Injection — User Input in AI Prompt |
high | 1 |
SEC013
Path Traversal — User Input in File Path
scientific-skills/citation-management/scripts/extract_metadata.py:518
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC013
Path Traversal — User Input in File Path
scientific-skills/citation-management/scripts/search_pubmed.py:344
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC013
Path Traversal — User Input in File Path
scientific-skills/clinical-decision-support/scripts/build_decision_tree.py:424
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC016
LLM Prompt Injection — User Input in AI Prompt
scientific-skills/infographics/scripts/generate_infographic_ai.py:470
· conf 0.90
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…SEC012
ZipSlip — Archive Path Traversal
scientific-skills/docx/scripts/office/unpack.py:54
· conf 1.00
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.SEC012
ZipSlip — Archive Path Traversal
scientific-skills/docx/scripts/office/validate.py:74
· conf 1.00
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.SEC012
ZipSlip — Archive Path Traversal
scientific-skills/docx/scripts/office/validators/redlining.py:64
· conf 1.00
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.SEC017
Unbounded Input to LLM/External API
scientific-skills/infographics/scripts/generate_infographic_ai.py:470
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC002
Hardcoded API Key
scientific-skills/research-lookup/lookup.py:155
· conf 0.15
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC012
ZipSlip — Archive Path Traversal
[SEC012] ZipSlip — Archive Path Traversal (and 12 more): Same pattern found in 12 additional files. Review if needed.SEC013
Path Traversal — User Input in File Path
[SEC013] Path Traversal — User Input in File Path (and 7 more): Same pattern found in 7 additional files. Review if needed.SEC015
Insecure Randomness for Security
[SEC015] Insecure Randomness for Security (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC015
Insecure Randomness for Security
scientific-skills/docx/scripts/comment.py:69
· conf 0.15
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
scientific-skills/docx/scripts/office/validators/docx.py:423
· conf 0.15
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
scientific-skills/matplotlib/scripts/plot_template.py:48
· conf 0.15
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 52 more): Same pattern found in 52 additional files. Review if needed.SEC020
Secret Printed to Logs
scientific-skills/open-notebook/scripts/chat_interaction.py:96
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
scientific-skills/research-lookup/research_lookup.py:490
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
scientific-skills/scientific-writing/scripts/generate_image.py:106
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/038a3eaa-8ac2-4f30-9ab7-6222e3dd7e70/.