Skip to main content

sast-ssti

Detects Server-Side Template Injection vulnerabilities in codebases using a structured three-phase approach for security assessments.

Install this skill

or
0/100

Security score

The sast-ssti skill was audited on Jun 6, 2026 and we found 16 security issues across 3 threat categories, including 1 critical. Review the findings below before installing.

Categories Tested

Security Issues

high line 138

Direct command execution function call

SourceSKILL.md
138// Payload: ?template=<%- global.process.mainModule.require('child_process').execSync('id') %>
high line 154

Direct command execution function call

SourceSKILL.md
154// Payload: {{ range.constructor("return global.process.mainModule.require('child_process').execSync('id').toString()")() }}
high line 241

Direct command execution function call

SourceSKILL.md
241return "user/" + lang + "/welcome"; // path traversal + SSTI if lang is e.g. "__${T(java.lang.Runtime).getRuntime().exec('id')}"
critical line 529

Direct command execution function call

SourceSKILL.md
529> Example for EJS: ?tmpl=<%- global.process.mainModule.require('child_process').execSync('id') %>]
medium line 199

Template literal with variable interpolation in command context

SourceSKILL.md
199```java
medium line 237

Template literal with variable interpolation in command context

SourceSKILL.md
237```java
high line 523

Template literal with variable interpolation in command context

SourceSKILL.md
523> ```
low line 138

Node child_process module reference

SourceSKILL.md
138// Payload: ?template=<%- global.process.mainModule.require('child_process').execSync('id') %>
low line 154

Node child_process module reference

SourceSKILL.md
154// Payload: {{ range.constructor("return global.process.mainModule.require('child_process').execSync('id').toString()")() }}
medium line 529

Node child_process module reference

SourceSKILL.md
529> Example for EJS: ?tmpl=<%- global.process.mainModule.require('child_process').execSync('id') %>]
medium line 42

Fetch to external URL

SourceSKILL.md
42- `$smarty->fetch("string:" . user_input)` — Smarty (PHP)
low line 273

Fetch to external URL

SourceSKILL.md
273// VULNERABLE: user-controlled template string via fetch("string:...")
low line 275

Fetch to external URL

SourceSKILL.md
275$smarty->fetch("string:" . $template);
medium line 382

Fetch to external URL

SourceSKILL.md
382> - `$smarty->fetch("string:" . $var)` or `$smarty->display("string:" . $var)`
low line 261

Access to .env file

SourceSKILL.md
261// Payload: {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
medium line 527

Access to .env file

SourceSKILL.md
527> Example for Twig: ?tmpl={{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
Scanned on Jun 6, 2026
View Security Dashboard
Installation guide →
GitHub Stars 659
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
openclawbackendsecurity-engineerbackend-developerdevops-sredevelopment
utkusen/sast-skills