critical
suspicious.dangerous_exec
- Location
- skills/sn-ppt-standard/scripts/export_pptx/html_to_pptx.mjs:24
- Finding
- Shell command execution detected (child_process).
- Evidence
execSync('npm install --omit=dev', { cwd: __dirname, stdio: 'inherit' });
SenseNova-Skills
AdvisoryAudited by Static analysis on May 14, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions
Findings (5)
critical
suspicious.exposed_secret_literal
- Location
- skills/sn-image-base/scripts/sn_image_base/generation/sensenova.py:497
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
api_key=[REDACTED],
critical
suspicious.exposed_secret_literal
- Location
- skills/sn-image-base/scripts/sn_image_base/llm/chat_completions_adapter.py:248
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
api_key = [REDACTED]
warn
suspicious.prompt_injection_instructions
- Location
- skills/sn-image-imitate/SKILL.md:196
- Finding
- Prompt-injection style instruction pattern detected.
- Evidence
If missing, use inline fallback system prompt:
warn
suspicious.prompt_injection_instructions
- Location
- skills/sn-image-resume/SKILL.md:261
- Finding
- Prompt-injection style instruction pattern detected.
- Evidence
- System prompt: `prompts/resume.md`