perseus-injection
Performs deep injection vulnerability analysis across various languages and frameworks to identify and mitigate security risks.
Install this skill
Security score
The perseus-injection skill was audited on Mar 1, 2026 and we found 30 security issues across 1 threat category, including 14 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 215 | // RCE: <%= process.mainModule.require('child_process').execSync('id') %> |
Direct command execution function call
| 251 | exec(`ls ${userInput}`); |
Direct command execution function call
| 252 | execSync(`git clone ${url}`); |
Direct command execution function call
| 253 | spawn('sh', ['-c', cmd]); |
Direct command execution function call
| 281 | Runtime.getRuntime().exec(cmd); |
Direct command execution function call
| 289 | exec(cmd) |
Direct command execution function call
| 315 | // RCE: T(java.lang.Runtime).getRuntime().exec('id') |
Direct command execution function call
| 319 | // RCE: (#[email protected]@getRuntime(),#rt.exec('id')) |
Eval function call - arbitrary code execution
| 116 | redis.eval(`return redis.call('get', '${userInput}')`, 0); |
Eval function call - arbitrary code execution
| 120 | rdb.Eval(ctx, script, []string{userKey}) |
Eval function call - arbitrary code execution
| 124 | r.eval(f"return redis.call('get', '{key}')", 0) |
Template literal with variable interpolation in command context
| 116 | redis.eval(`return redis.call('get', '${userInput}')`, 0); |
Template literal with variable interpolation in command context
| 175 | ```python |
Template literal with variable interpolation in command context
| 193 | ```java |
Template literal with variable interpolation in command context
| 251 | exec(`ls ${userInput}`); |
Template literal with variable interpolation in command context
| 252 | execSync(`git clone ${url}`); |
Template literal with variable interpolation in command context
| 311 | ```java |
Template literal with variable interpolation in command context
| 334 | ```java |
Template literal with variable interpolation in command context
| 346 | console.log(`User logged in: ${username}`); |
Template literal with variable interpolation in command context
| 419 | ```javascript |
Template literal with variable interpolation in command context
| 548 | | SSTI (Freemarker) | `${7*7}` | Output: 49 | |
Template literal with variable interpolation in command context
| 551 | | SpEL | `${7*7}` | Output: 49 | |
Template literal with variable interpolation in command context
| 553 | | Log4j | `${jndi:ldap://x.x}` | DNS callback | |
System command execution
| 262 | system($cmd); |
System command execution
| 270 | os.system(cmd) |
System command execution
| 286 | system(cmd) |
Node child_process module reference
| 215 | // RCE: <%= process.mainModule.require('child_process').execSync('id') %> |
Python os.system command execution
| 270 | os.system(cmd) |
Python subprocess execution
| 271 | subprocess.call(cmd, shell=True) |
Python subprocess execution
| 272 | subprocess.Popen(cmd, shell=True) |
Install this skill with one command
/learn @kaivyy/injection