Skip to content

Add SafeSkill security badge (86/100 — Passes with Notes)#31

Closed
OyaAIProd wants to merge 1 commit into
taskade:mainfrom
OyaAIProd:safeskill-scan-1775786972755
Closed

Add SafeSkill security badge (86/100 — Passes with Notes)#31
OyaAIProd wants to merge 1 commit into
taskade:mainfrom
OyaAIProd:safeskill-scan-1775786972755

Conversation

@OyaAIProd
Copy link
Copy Markdown

@OyaAIProd OyaAIProd commented Apr 10, 2026
edited by cursor Bot
Loading

⚠️ SafeSkill Security Scan Results

Metric Value
Overall Score 86/100 (Passes with Notes)
Code Score 86/100
Content Score 78/100
Findings 41 findings detected (2 critical)
Taint Flows 0
Files Scanned 13
Scan Duration 1.9s

Top Findings

  • 🔴 critical: Bracket notation access: window['fetch'] (obfuscation technique to evade static analysis) (packages/openapi-codegen/src/runtime.ts:171)
  • 🔴 critical: Bracket notation access: window['fetch'] (obfuscation technique to evade static analysis) (packages/server/src/tools.generated.ts:178)
  • 🟠 high: Direct filesystem operation (packages/openapi-codegen/src/codegen.ts:52)
  • 🟠 high: Direct filesystem operation (packages/openapi-codegen/src/codegen.ts:126)
  • 🟠 high: Context boundary escape detected (fake-turn-marker): "User:" (packages/server/taskade-public.yaml:247)

View full report on SafeSkill

About SafeSkill

SafeSkill is a free, open-source security scanner for AI tools, MCP servers, and Claude Code skills. We scan for code exploits, prompt injection, and data exfiltration risks.

False positive? We take accuracy seriously. If any finding above is incorrect, please open an issue and we will fix it immediately.

Note

Low Risk
Documentation-only change adding an external badge/link; minimal code risk aside from relying on a third-party URL/image.

Overview
Adds a SafeSkill security scan badge to README.md, linking to the public scan report for this repo.

Reviewed by Cursor Bugbot for commit 856cd59. Bugbot is set up for automated code reviews on this repo. Configure here.

@OyaAIProd
Add SafeSkill security badge (86/100)
856cd59 
Signed-off-by: SafeSkill Scanner <mk@oya.ai>
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 10, 2026

⚠️ No Changeset found

Latest commit: 856cd59

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@johnxie
Copy link
Copy Markdown
Member

johnxie commented Jun 5, 2026

Thanks for the scan. We reviewed the findings and they're false positives — for example, window['fetch'] is standard bracket-notation property access (not obfuscation), and the "context boundary escape" hit is an example string inside our OpenAPI spec (taskade-public.yaml), not executable content. We also don't add third-party security badges to the README.

Closing for those reasons — appreciate the tool and the heads-up. 🙏

@johnxie johnxie closed this Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OyaAIProd @johnxie