Skillv0.1.0

Static analysis security

Bomb Dog Sniff · Deterministic local checks for risky code patterns and metadata mismatches.

ReviewApr 30, 2026, 4:57 AM

Summary: Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+2 more)
Reason codes: suspicious.dangerous_execsuspicious.dynamic_code_executionsuspicious.env_credential_accesssuspicious.obfuscated_codesuspicious.potential_exfiltration
Engine: v2.4.5

criticalsafe-download.js:139

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalscripts/scan.js:286

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticaltest-malicious-skill/scripts/malicious.js:32

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticaltest/malicious-skill/index.js:30

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalscripts/scan.js:81

Dynamic code execution detected.

suspicious.dynamic_code_execution

criticaltest-malicious-skill/scripts/malicious.js:54

Dynamic code execution detected.

suspicious.dynamic_code_execution

criticaltest/malicious-skill/index.js:65

Dynamic code execution detected.

suspicious.dynamic_code_execution

criticaltest-malicious-skill/scripts/malicious.js:27

Environment variable access combined with network send.

suspicious.env_credential_access

criticaltest/malicious-skill/index.js:46

Environment variable access combined with network send.

suspicious.env_credential_access

warntest-malicious-skill/scripts/malicious.js:53

Potential obfuscated payload detected.

suspicious.obfuscated_code

warnpatterns.js:50