Skip to main content

runaway-guard

Implements cost-safety measures for AI APIs, ensuring strict budget controls to prevent unexpected expenses during execution.

Install this skill

or
35/100

Security score

The runaway-guard skill was audited on Jun 1, 2026 and we found 13 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 163

Template literal with variable interpolation in command context

SourceSKILL.md
163// idempotency: key = `${campaignId}:${sha1(prompt)}` — provider-side dedup window 24h
medium line 178

Template literal with variable interpolation in command context

SourceSKILL.md
178`prompt count ${prompts.length} exceeds MAX_IMAGES_PER_RUN=${MAX_IMAGES_PER_RUN}`
medium line 182

Template literal with variable interpolation in command context

SourceSKILL.md
182`img:${event.data.id}:${sha1(p)}`, // idempotency key
medium line 18

Webhook reference - potential data exfiltration

SourceSKILL.md
18Every loop has time complexity and space complexity. A loop that calls a paid API has a third: **dollars per execution**. The model tracks the first two automatically. It does not track the third, so
medium line 30

Webhook reference - potential data exfiltration

SourceSKILL.md
30- Writing or reviewing code that calls a paid AI / inference API in a loop, queue, retry path, agent step, webhook handler, or background job.
medium line 96

Webhook reference - potential data exfiltration

SourceSKILL.md
966. **Idempotency keys on every mutating or charging call.** A webhook that fires twice should bill once. Without an idempotency key, retry policies you cannot see (load balancer, framework, gateway) s
medium line 100

Webhook reference - potential data exfiltration

SourceSKILL.md
100- **Webhook handlers that call the API that called the webhook.** Cycle detection or it will cycle.
medium line 199

Webhook reference - potential data exfiltration

SourceSKILL.md
199| Webhook handler → API call | idempotency key required; cycle if webhook is triggered by the same API | provider rate limit per key |
medium line 212

Webhook reference - potential data exfiltration

SourceSKILL.md
212- Webhooks: deliveries are paid; cap retries on your side.
medium line 253

Webhook reference - potential data exfiltration

SourceSKILL.md
253| Webhook retried by provider | idempotency at the handler boundary |
medium line 285

Webhook reference - potential data exfiltration

SourceSKILL.md
285| "Idempotency is overkill for this." | Webhooks retry. Load balancers retry. Browsers retry. Without an idempotency key, *something* will duplicate. |
medium line 299

Webhook reference - potential data exfiltration

SourceSKILL.md
299- About to handle a webhook that calls the API that produced the webhook.
medium line 298

Access to .env file

SourceSKILL.md
298- About to commit a paid API key to a `.env` shared across environments.
Scanned on Jun 1, 2026
View Security Dashboard
Installation guide →
GitHub Stars 39.4K
Rate this skill
Categorydevelopment
UpdatedJune 10, 2026
claude-codeantigravitycursorgemini-cliapibackendml-ai-engineerbackend-developerproduct-managergrowth-marketerdata-scientistdevelopmentproductmarketingdata analytics
sickn33/antigravity-awesome-skills