Claude-skill-registry detecting-command-injection

Detects OS command injection vulnerabilities by identifying unsafe system/popen/exec calls with user-controlled input. Use when analyzing command execution, shell operations, or investigating potential command injection points.

install

source · Clone the upstream repo

git clone https://github.com/majiayu000/claude-skill-registry

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/detecting-command-injection" ~/.claude/skills/majiayu000-claude-skill-registry-detecting-command-injection && rm -rf "$T"

manifest: skills/data/detecting-command-injection/SKILL.md

Command Injection Detection

Detection Workflow

Identify command execution points: Find system(), popen(), execve(), ShellExecute(), CreateProcess() calls
Trace input sources: Use
```
xrefs_to
```
to trace command strings to user input (network, files, environment variables)
Check sanitization: Verify input validation, character escaping, command argument separation, safe API usage
Assess exploitability: Can attacker inject special characters (;, &, |, `)? Control command arguments? Execute multiple commands?

Key Patterns

Direct system() with unvalidated user input
popen() with partial sanitization
execve with insufficient validation
Indirect command execution via environment variables

Output Format

Report with: id, type (system/popen/exec), severity, confidence, location, sink, source, command string, sanitization status, exploitability, payload example, mitigation.

Severity Guidelines

CRITICAL: Direct use of system() with unvalidated user input
HIGH: popen() with partial sanitization
MEDIUM: execve with array but insufficient validation
LOW: Command execution with strict whitelisting