We scanned your skill as part of a 220-repo audit ahead of our HN launch. openapi-to-cli scored 26/100.
Primary driver: a critical shell_exec in scripts/generate-version.js:7 — a subprocess call during what appears to be a version generation step. Even in build scripts, spawning subprocesses with potentially unscoped inputs is the highest-severity category in our model. The same file has multiple fs_write findings at line 44+.
Full report: https://novingly.com/scan/271351d9-9f8f-4331-956b-95b5e9c92841
The subprocess in generate-version.js is likely calling git describe or similar — replacing it with a direct API call or hardcoding the version string at build time removes the finding. The fs_write findings resolve by scoping output to a clearly named dist or temp directory. We're launching on HN Tuesday — if a "Verified by Novingly" badge is worth $10/mo to you after patching, reply here or drop your email at novingly.com. No pressure.
We scanned your skill as part of a 220-repo audit ahead of our HN launch. openapi-to-cli scored 26/100.
Primary driver: a critical
shell_execinscripts/generate-version.js:7— a subprocess call during what appears to be a version generation step. Even in build scripts, spawning subprocesses with potentially unscoped inputs is the highest-severity category in our model. The same file has multiplefs_writefindings at line 44+.Full report: https://novingly.com/scan/271351d9-9f8f-4331-956b-95b5e9c92841
The subprocess in
generate-version.jsis likely callinggit describeor similar — replacing it with a direct API call or hardcoding the version string at build time removes the finding. Thefs_writefindings resolve by scoping output to a clearly named dist or temp directory. We're launching on HN Tuesday — if a "Verified by Novingly" badge is worth $10/mo to you after patching, reply here or drop your email at novingly.com. No pressure.