Scan Receipt
Risk IndicatorsAutomated scan record bound to build artifact hash.
Artifact Details
| Skill Name | skill_bad |
|---|---|
| Developer | vibegate-demo |
| Source URL | — |
| Scanned (UTC) | 2026-03-02T05:46:52Z |
Risk Summary
| Risk Score | 100 / 100 |
|---|---|
| Status | Risk Indicators |
| Risk Tags |
SHA-256 Artifact Hash
0e8ed3d03e0d036dc1cafbf88529432be1f7e0e9890fdf6ec9952fee6a97bb4b
This receipt is cryptographically bound to the above build hash. A different build of the same skill will produce a different hash and require a new scan.
Static Analysis Findings
{
"files_scanned": [
"main.py"
],
"total_indicators": 8,
"categories_hit": [
"code_execution",
"hardcoded_secret",
"network",
"obfuscation",
"risky_fs"
],
"indicators": [
{
"category": "obfuscation",
"description": "base64 decode (potential obfuscation)",
"file": "main.py",
"line": 16,
"snippet": "# base64.b64decode triggers the \"obfuscation\" category"
},
{
"category": "obfuscation",
"description": "base64 decode (potential obfuscation)",
"file": "main.py",
"line": 17,
"snippet": "_label = base64.b64decode(\"c2tpbGxfYmFkX2RlbW8=\").decode() # \"skill_bad_demo\""
},
{
"category": "hardcoded_secret",
"description": "Hardcoded API key / secret",
"file": "main.py",
"line": 21,
"snippet": "API_KEY = \"sk-demo-hardcoded-secret-value-not-real-abcdef1234\""
},
{
"category": "risky_fs",
"description": "Access to sensitive system path",
"file": "main.py",
"line": 26,
"snippet": "for path in [\"/etc/passwd\", \"/etc/hostname\"]:"
},
{
"category": "code_execution",
"description": "Dynamic exec() call",
"file": "main.py",
"line": 36,
"snippet": "\"\"\"exec() call \u2014 triggers code_execution category.\"\"\""
},
{
"category": "code_execution",
"description": "Dynamic exec() call",
"file": "main.py",
"line": 38,
"snippet": "exec(\"ns['x'] = 2 ** 10\", ns) # noqa: S102"
},
{
"category": "code_execution",
"description": "subprocess execution",
"file": "main.py",
"line": 44,
"snippet": "out = subprocess.check_output([\"id\"], timeout=2)"
},
{
"category": "network",
"description": "Raw socket usage",
"file": "main.py",
"line": 53,
"snippet": "conn = socket.create_connection((\"8.8.8.8\", 53), timeout=2)"
}
]
}
Sandbox Execution Findings
{
"executed": true,
"exit_code": 1,
"stdout": "",
"stderr": "Traceback (most recent call last):\n File \"/skill/main.py\", line 65, in <module>\n \"exec_result\": run_dynamic(),\n ^^^^^^^^^^^^^\n File \"/skill/main.py\", line 38, in run_dynamic\n exec(\"ns['x'] = 2 ** 10\", ns) # noqa: S102\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"<string>\", line 1, in <module>\nNameError: name 'ns' is not defined\n",
"runtime_ms": 1984,
"timed_out": false,
"runtime_error": null
}
Important: These findings are generated by fully automated analysis. They represent indicators only and are not a determination of maliciousness or fitness for any purpose. Detailed evidence is redacted in the public ledger and is available only in paid full reports. VibeGate makes no warranty as to the accuracy or completeness of automated findings. See our methodology and terms for full details.