sast-rce
Detects Remote Code Execution vulnerabilities in codebases using a structured three-phase approach for security assessments.
Install this skill
Security score
The sast-rce skill was audited on Jun 13, 2026 and we found 73 security issues across 5 threat categories, including 19 critical. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 34 | - Using `eval()`, `exec()`, `Function()`, or equivalent constructs with user-controlled strings |
Direct command execution function call
| 63 | child_process.spawn("ffmpeg", ["-i", inputFile, outputFile]) |
Direct command execution function call
| 98 | spawn(cmd, []); |
Direct command execution function call
| 135 | exec(`grep -r "${query}" /var/log/app/`, (err, stdout) => { |
Direct command execution function call
| 143 | return execSync('node scripts/' + userScript); |
Direct command execution function call
| 149 | const proc = spawn('grep', ['-r', query, '/var/log/app/']); |
Direct command execution function call
| 216 | exec(code) # full arbitrary code execution |
Direct command execution function call
| 401 | > - `child_process.exec(var)`, `child_process.execSync(var)` — flag if any variable in command string |
Direct command execution function call
| 403 | > - `child_process.spawn(var, ...)` or `spawn(cmd, args)` with `shell: true` and variable in command — flag |
Direct command execution function call
| 404 | > - `shelljs.exec(var)`, `execa(var)` — flag if variable in command |
Direct command execution function call
| 407 | > - `exec(var)`, `system(var)`, `passthru(var)`, `shell_exec(var)`, `popen(var, ...)`, `proc_open(var, ...)` — flag if any variable in command string |
Direct command execution function call
| 411 | > - `system(var)`, `exec(var)`, `spawn(var)`, `IO.popen(var)`, `Open3.popen3(var)` — flag if string form with interpolated variable |
Direct command execution function call
| 416 | > - `Runtime.getRuntime().exec(var)` — flag if string argument contains variable concatenation |
Direct command execution function call
| 434 | > - `exec(var)` — flag if argument is a variable |
Direct command execution function call
| 435 | > - `compile(var, ...)` followed by `exec()` — flag |
Direct command execution function call
| 707 | - **For OS command sinks**: `subprocess.run(["cmd", var])` with list form and no `shell=True` is NOT command injection — the argument is passed directly to the process without shell interpretation. On |
Eval function call - arbitrary code execution
| 34 | - Using `eval()`, `exec()`, `Function()`, or equivalent constructs with user-controlled strings |
Eval function call - arbitrary code execution
| 209 | result = eval(expr) # attacker can run __import__('os').system('id') |
Eval function call - arbitrary code execution
| 234 | const result = eval(formula); // RCE: process.exit(), require('child_process')... |
Eval function call - arbitrary code execution
| 433 | > - `eval(var)` — flag if argument is a variable |
Eval function call - arbitrary code execution
| 439 | > - `eval(var)` — flag if argument is a variable |
Eval function call - arbitrary code execution
| 446 | > - `eval(var)` — always flag if variable in argument |
Eval function call - arbitrary code execution
| 453 | > - `eval(var)`, `instance_eval(var)`, `class_eval(var)`, `module_eval(var)` — flag if variable |
Eval function call - arbitrary code execution
| 454 | > - `binding.eval(var)` — flag if variable |
Eval function call - arbitrary code execution
| 708 | - **For `eval`-like sinks**: there is almost no safe way to use `eval()` with user input. Any eval-like sink receiving external data should be flagged Vulnerable. |
Eval function call - arbitrary code execution
| 711 | - Second-order RCE is possible: a value stored from user input may later be deserialized or evaluated in a different code path (e.g., a user-supplied config stored in DB and later `eval()`'d by a cron |
Template literal with variable interpolation in command context
| 135 | exec(`grep -r "${query}" /var/log/app/`, (err, stdout) => { |
Template literal with variable interpolation in command context
| 240 | const fn = new Function('x', `return ${userExpression}`); |
System command execution
| 68 | # Ruby — system() with multiple args (not a single interpolated string) |
System command execution
| 69 | system("ffmpeg", "-i", "input.mp4", "-f", format, "output") |
System command execution
| 119 | os.system(f"convert {filename} -resize {size} output.jpg") |
System command execution
| 182 | # VULNERABLE: string interpolation in system() |
System command execution
| 185 | system("ffmpeg -i input.mp4 -f #{format} output") |
System command execution
| 193 | # SECURE: system() with separate args (no shell expansion) |
System command execution
| 198 | system("ffmpeg", "-i", "input.mp4", "-f", format, "output") |
System command execution
| 209 | result = eval(expr) # attacker can run __import__('os').system('id') |
System command execution
| 394 | > - `os.system(var)` — always flag if any variable |
System command execution
| 407 | > - `exec(var)`, `system(var)`, `passthru(var)`, `shell_exec(var)`, `popen(var, ...)`, `proc_open(var, ...)` — flag if any variable in command string |
System command execution
| 411 | > - `system(var)`, `exec(var)`, `spawn(var)`, `IO.popen(var)`, `Open3.popen3(var)` — flag if string form with interpolated variable |
System command execution
| 707 | - **For OS command sinks**: `subprocess.run(["cmd", var])` with list form and no `shell=True` is NOT command injection — the argument is passed directly to the process without shell interpretation. On |
Node child_process module reference
| 63 | child_process.spawn("ffmpeg", ["-i", inputFile, outputFile]) |
Node child_process module reference
| 234 | const result = eval(formula); // RCE: process.exit(), require('child_process')... |
Node child_process module reference
| 401 | > - `child_process.exec(var)`, `child_process.execSync(var)` — flag if any variable in command string |
Node child_process module reference
| 402 | > - `child_process.execFile(var, ...)` — flag if command or args contain variables |
Node child_process module reference
| 403 | > - `child_process.spawn(var, ...)` or `spawn(cmd, args)` with `shell: true` and variable in command — flag |
Python os.system command execution
| 119 | os.system(f"convert {filename} -resize {size} output.jpg") |
Python os.system command execution
| 394 | > - `os.system(var)` — always flag if any variable |
Python subprocess execution
| 49 | - **Safe subprocess list-form calls**: `subprocess.run(["ls", user_arg])` with a list and no `shell=True` — arguments are passed directly to the OS without shell expansion; not vulnerable to command i |
Python subprocess execution
| 59 | subprocess.run(["convert", "-resize", size, input_file, output_file]) |
Python subprocess execution
| 60 | subprocess.Popen(["git", "clone", repo_url]) |
Python subprocess execution
| 93 | subprocess.run(["convert", infile, f"output.{fmt}"]) |
Python subprocess execution
| 112 | result = subprocess.run(f"ping -c 1 {host}", shell=True, capture_output=True, text=True) |
Python subprocess execution
| 125 | result = subprocess.run(["ping", "-c", "1", host], capture_output=True, text=True, timeout=5) |
Python subprocess execution
| 396 | > - `subprocess.run(var, shell=True)`, `subprocess.call(var, shell=True)`, `subprocess.Popen(var, shell=True)`, `subprocess.check_output(var, shell=True)` — flag if `shell=True` AND a variable appears |
Python subprocess execution
| 397 | > - `subprocess.run(f"cmd {var}")` without `shell=True` — flag: passing a string (not list) to subprocess can still be unsafe |
Python subprocess execution
| 497 | > - `subprocess.run(["cmd", arg1, arg2])` with a list and no `shell=True` — no shell expansion |
Python subprocess execution
| 518 | > - **Sink**: [the dangerous function call — e.g., subprocess.run(..., shell=True)] |
Python subprocess execution
| 573 | > 1. **Subprocess list form without shell**: `subprocess.run(["cmd", var])` without `shell=True` — no shell metacharacter injection. |
Python subprocess execution
| 605 | > - **Subprocess list form**: `subprocess.run(["cmd", var])` without `shell=True` — arguments are passed directly to the OS, no shell expansion. This IS an effective mitigation for command injection ( |
Python subprocess execution
| 626 | > - **Taint trace**: [Step-by-step from entry point to the sink — e.g., "request.args.get('host') → host → subprocess.run(f'ping -c 1 {host}', shell=True)"] |
Python subprocess execution
| 707 | - **For OS command sinks**: `subprocess.run(["cmd", var])` with list form and no `shell=True` is NOT command injection — the argument is passed directly to the process without shell interpretation. On |
Curl to non-GitHub URL
| 634 | > curl "https://app.example.com/ping?host=127.0.0.1;id" |
Curl to non-GitHub URL
| 635 | > curl "https://app.example.com/ping?host=127.0.0.1%3Bid" |
Access to /etc/passwd
| 139 | // Payload: ?q=foo" /etc/passwd " |
Access to /etc/passwd
| 627 | > - **Impact**: [What an attacker can do — execute arbitrary OS commands, read /etc/passwd, establish reverse shell, achieve full server compromise, etc.] |
Base64 decode operation
| 273 | data = base64.b64decode(session_cookie) |
Base64 decode operation
| 281 | user = json.loads(base64.b64decode(session_cookie)) |
Base64 decode operation
| 311 | $data = base64_decode($_COOKIE['profile']); |
Base64 decode operation
| 321 | $data = base64_decode($_COOKIE['profile']); |
Base64 decode operation
| 332 | data = Base64.decode64(params[:state]) |
Base64 decode operation
| 339 | data = JSON.parse(Base64.decode64(params[:state])) |
External URL reference
| 634 | > curl "https://app.example.com/ping?host=127.0.0.1;id" |
External URL reference
| 635 | > curl "https://app.example.com/ping?host=127.0.0.1%3Bid" |