skill-eval-usage
Script uses eval/exec which can execute arbitrary code
Rule Details
This rule warns when shell scripts use the eval command or Python scripts use eval() or exec(). These functions dynamically execute strings as code, which poses serious security risks including code injection, privilege escalation, and unexpected side effects. Skill scripts should use explicit, predictable logic rather than dynamic code evaluation. The rule checks .sh files for shell eval and .py files for Python eval/exec.
Incorrect
Shell script using eval to execute a constructed command
#!/bin/bash
cmd="ls -la $USER_INPUT"
eval $cmdPython script using eval to parse user input
user_input = get_input()
result = eval(user_input)Python script using exec to run dynamic code
code_string = read_file("plugin.py")
exec(code_string)Correct
Shell script using direct command execution
#!/bin/bash
ls -la "$SAFE_DIR"Python script using safe parsing instead of eval
import json
data = json.loads(user_input)How To Fix
Replace eval/exec with explicit logic. For shell scripts, execute commands directly instead of constructing command strings. For Python, use safe parsers like json.loads(), ast.literal_eval(), or dedicated libraries for the data format you are processing.
Options
This rule does not have any configuration options.
When Not To Use It
Only disable this rule if you have a well-audited use case where dynamic code execution is strictly necessary and all inputs are thoroughly validated and sanitized.
Related Rules
Resources
Version
Available since: v0.2.0