mirror of
https://github.com/CherryHQ/cherry-studio.git
synced 2026-07-03 12:27:41 +08:00
## Summary Fix critical severity security issue in `resources/skills/skill-creator/scripts/run_eval.py`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | V-001 | | **Severity** | CRITICAL | | **Scanner** | multi_agent_ai | | **Rule** | `V-001` | | **File** | `resources/skills/skill-creator/scripts/run_eval.py:85` | | **CWE** | CWE-78 | **Description**: Three Python scripts in the skill-creator pipeline invoke subprocess.Popen/run with shell=True and incorporate user-supplied CLI arguments into the command string without sanitization. When shell=True is used, the operating system shell interprets special characters (semicolons, pipes, backticks, dollar signs) as command separators and substitution operators, enabling an attacker to append arbitrary OS commands to any legitimate argument. ## Changes - `resources/skills/skill-creator/scripts/run_eval.py` - `resources/skills/skill-creator/scripts/improve_description.py` - `resources/skills/skill-creator/eval-viewer/generate_review.py` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* Signed-off-by: orbisai0security <mediratta01.pally@gmail.com>