Security Findings in Executable Artifacts
While auditing NL programming artifacts in this repository, our scanner detected potential security issues in executable files.
Findings
| # |
Severity |
File |
Line |
Pattern |
Description |
| 1 |
HIGH |
plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh |
92, 99, 105 |
SEC-sudo |
pkg_install() invokes sudo apt-get, sudo dnf, sudo pacman; package names are hardcoded so no injection risk, but sudo elevation is unconditional if available |
| 2 |
HIGH |
plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh |
144–163, 244, 309, 385 |
SEC-path-modification |
add_to_profile() appends export PATH=... and export FERNFLOWER_JAR_PATH=... to ~/.zshrc, ~/.bashrc, or ~/.profile — persistent file writes outside the repo and permanent PATH modification |
About This Report
These findings come from NLPM's security scanner, which checks executable surfaces (hooks, scripts, MCP configs, dependencies) against known-dangerous patterns.
We may be wrong — false positives happen. If any finding is intentional or already mitigated, please close this issue. If a finding is genuine and you'd like a fix PR, let us know.
Full audit report: https://github.com/xiaolai/nlpm-for-claude/blob/main/auditor/audits/SimoneAvogadro-android-reverse-engineering-skill.md
Security Findings in Executable Artifacts
While auditing NL programming artifacts in this repository, our scanner detected potential security issues in executable files.
Findings
pkg_install()invokessudo apt-get,sudo dnf,sudo pacman; package names are hardcoded so no injection risk, but sudo elevation is unconditional if availableadd_to_profile()appendsexport PATH=...andexport FERNFLOWER_JAR_PATH=...to~/.zshrc,~/.bashrc, or~/.profile— persistent file writes outside the repo and permanent PATH modificationAbout This Report
These findings come from NLPM's security scanner, which checks executable surfaces (hooks, scripts, MCP configs, dependencies) against known-dangerous patterns.
We may be wrong — false positives happen. If any finding is intentional or already mitigated, please close this issue. If a finding is genuine and you'd like a fix PR, let us know.
Full audit report: https://github.com/xiaolai/nlpm-for-claude/blob/main/auditor/audits/SimoneAvogadro-android-reverse-engineering-skill.md