#10530: fix: tighten skill scanner false positives and add vm module detection
size: S
trusted-contributor
## Summary
- Fix overly broad `\bpost\b` regex in exfiltration and env-harvesting context patterns — was matching the word "post" in comments and variable names, causing false positives. Now requires `method:"POST"`, `.post()`, or `http.request` patterns instead
- Add `vm` module detection rule covering `vm.runInNewContext`, `vm.compileFunction`, `vm.Script`, and `vm.runInThisContext` — gated on `"node:vm"` or `"vm"` import context to avoid false positives
- Add 10 new tests covering false positive regression, vm detection, and vm context gating
## Test plan
- [x] Build passes
- [x] All 29 scanner tests pass
- [x] All 44 audit tests pass (73 total across both suites)
- [x] Existing exfiltration test updated to use `method: "POST"` instead of bare "post"
- [x] New test verifies bare "post" in comments does NOT trigger exfiltration rule
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
- Tightens exfiltration/env-harvesting context matching by replacing a broad `\bpost\b` check with more specific `method:"POST"`, `.post(...)`, `fetch`, or `http.request` patterns.
- Adds a new line-based detection rule for Node’s `vm` module APIs (with import-string context gating) to flag dynamic code execution.
- Updates/extends the test suite with regression coverage for the prior `post` false-positive and new vm detection/gating cases.
<h3>Confidence Score: 4/5</h3>
- Mostly safe to merge, but vm detection/deduping issues likely reduce intended scanner coverage.
- Changes are localized to regex-based detection and tests; however, introducing a second line-rule with the same `ruleId` causes deterministic under-reporting in files that contain multiple dynamic-execution indicators, and the vm regex misses the common `new vm.Script(...)` form, so the PR doesn’t fully achieve its stated detection goals.
- src/security/skill-scanner.ts
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#10705: security: extend skill scanner to detect threats in markdown skill ...
by Alex-Alaniz · 2026-02-06
77.8%
#11032: fix(security): block plugin install/load on critical source scan fi...
by coygeek · 2026-02-07
76.9%
#10559: feat(security): add plugin output scanner for prompt injection dete...
by DukeDeSouth · 2026-02-06
76.6%
#13012: Security: detect invisible Unicode in skills and plugins (ASCII smu...
by agentwuzzi · 2026-02-10
75.6%
#17502: feat: normalize skill scanner reason codes and trust messaging
by ArthurzKV · 2026-02-15
75.5%
#16962: fix: make auth error detection contextual to prevent false positives
by StressTestor · 2026-02-15
75.2%
#8075: fix(skills): add --ignore-scripts to all package managers
by yubrew · 2026-02-03
74.2%
#23749: fix some issues
by tronpis · 2026-02-22
74.1%
#15569: test: comprehensive test coverage expansion (57 new test files)
by tangcruz · 2026-02-13
74.0%
#12076: fix(skills): recursive directory filtering to actually exclude venv...
by xiaoyaner0201 · 2026-02-08
73.5%