Does it detect argument injection as well as command injection?

Yes, it identifies patterns where flags or arguments are passed to commands without proper escaping, preventing malicious input from hijacking command behavior.

What specific PHP functions does this skill monitor?

It detects dangerous execution functions including exec, shell_exec, system, passthru, popen, proc_open, and the backtick operator.

Does it provide solutions for the vulnerabilities it finds?

Yes, it provides specific remediation steps such as using escapeshellarg(), implementing whitelists, or switching to the Symfony Process component.

Can this skill help with OWASP compliance?

Absolutely, it specifically targets OWASP A03:2021 (Injection) vulnerabilities related to OS command execution (CWE-78).

PHP Command Injection Security Checker

Name: PHP Command Injection Security Checker
Author: dykyi-roman

bydykyi-roman

•

安全与测试

Identifies and fixes OS command injection vulnerabilities in PHP applications by detecting unescaped user input in system execution functions.

This skill empowers developers to secure PHP applications by scanning for OS command injection patterns (CWE-78) across codebases. It automatically detects dangerous usage of functions like exec, shell_exec, and system, as well as backtick operators and unescaped argument building. By providing severity classifications, OWASP-mapped vulnerabilities, and secure code alternatives—such as the Symfony Process component or proper shell escaping—it ensures that backend integrations with system tools remain robust against Remote Code Execution (RCE) attacks.

主要功能

0145 GitHub stars

02Maps findings to CWE-78 and OWASP A03:2021 security standards

03Detects vulnerable functions including shell_exec, passthru, and proc_open

04Analyzes indirect injection risks via filenames and environment variables

05Identifies unescaped backtick operators and string interpolations in commands

06Provides automated grep patterns for rapid security auditing

使用场景

01Reviewing pull requests for dangerous shell command implementations

02Automating security audits for legacy PHP codebases and system integrations

03Hardening image and video processing scripts using ImageMagick or FFmpeg

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add dykyi-roman/awesome-claude-code check-command-injection

For use in Claude.ai and ChatGPT

Download Skill