Add SafeSkill security badge (20/100 — Blocked)

[OyaAIProd]

🔴 SafeSkill Security Scan Results

Metric	Value
Overall Score	20/100 (Blocked)
Code Score	56/100
Content Score	63/100
Findings	1120 findings detected (140 critical)
Taint Flows	157
Files Scanned	226
Scan Duration	27.1s

Note: This package is an MCP server — child_process, filesystem, and environment access are expected capabilities for tool servers and are excluded from scoring and top findings.

Top Findings

• 🔴 critical: Heavy String.fromCharCode usage (11 calls) — likely obfuscated strings (plugin/code.js:554)
• 🔴 critical: Very long single-line expression (1206 chars) — possibly minified or obfuscated code (plugin/code.js:576)
• 🔴 critical: Very long single-line expression (2267 chars) — possibly minified or obfuscated code (plugin/code.js:577)
• 🔴 critical: Pipes downloaded content to execution or file write (src/commands/upgrade.ts:46)
• 🔴 critical: Shell execution with download command: execSync() contains URL or curl/wget (src/notes/installer.ts:91)

View full report on SafeSkill

---

About SafeSkill

SafeSkill is a free, open-source security scanner for AI tools, MCP servers, and Claude Code skills. We scan for code exploits, prompt injection, and data exfiltration risks.

False positive? We take accuracy seriously. If any finding above is incorrect, please open an issue and we will fix it immediately.

• GitHub | Website | Docs
• Built by Oya.ai -- AI Employees Builder