Files
orbisai0security 2b21908fab fix: sanitize subprocess call in run_eval.py (#14842)
## Summary
Fix critical severity security issue in
`resources/skills/skill-creator/scripts/run_eval.py`.

## Vulnerability
| Field | Value |
|-------|-------|
| **ID** | V-001 |
| **Severity** | CRITICAL |
| **Scanner** | multi_agent_ai |
| **Rule** | `V-001` |
| **File** | `resources/skills/skill-creator/scripts/run_eval.py:85` |
| **CWE** | CWE-78 |

**Description**: Three Python scripts in the skill-creator pipeline
invoke subprocess.Popen/run with shell=True and incorporate
user-supplied CLI arguments into the command string without
sanitization. When shell=True is used, the operating system shell
interprets special characters (semicolons, pipes, backticks, dollar
signs) as command separators and substitution operators, enabling an
attacker to append arbitrary OS commands to any legitimate argument.

## Changes
- `resources/skills/skill-creator/scripts/run_eval.py`
- `resources/skills/skill-creator/scripts/improve_description.py`
- `resources/skills/skill-creator/eval-viewer/generate_review.py`

## Verification
- [x] Build passes
- [x] Scanner re-scan confirms fix
- [x] LLM code review passed

---
*Automated security fix by [OrbisAI Security](https://orbisappsec.com)*

Signed-off-by: orbisai0security <mediratta01.pally@gmail.com>
2026-05-09 14:46:47 +08:00
..