We scanned 220+ skill repos before our HN launch. gemini-skill scored 54/100 — mid-range, but one critical finding is suppressing what would otherwise be a stronger score.
The critical: shell_exec in src/browser.js:71 — a subprocess spawned in the browser integration path. There's also an fs_write in src/demo.js:132 writing to a path not clearly scoped as temp. Both are in auxiliary files (browser helper and demo) rather than the main skill logic, which makes them easy to miss in a standard code review.
Full report: https://novingly.com/scan/9f52a5c8-a7a6-44a1-9265-cb84dfa55bcb
Addressing the subprocess in src/browser.js is the highest-value fix — that single change removes the critical finding and should push the score into the 70s. The fs_write in demo.js is lower priority but worth scoping to a named output directory. We're launching on HN Tuesday — if a "Verified by Novingly" badge would be worth $10/mo to you after patching, reply here or drop your email at novingly.com. No pressure.
We scanned 220+ skill repos before our HN launch. gemini-skill scored 54/100 — mid-range, but one critical finding is suppressing what would otherwise be a stronger score.
The critical:
shell_execinsrc/browser.js:71— a subprocess spawned in the browser integration path. There's also anfs_writeinsrc/demo.js:132writing to a path not clearly scoped as temp. Both are in auxiliary files (browser helper and demo) rather than the main skill logic, which makes them easy to miss in a standard code review.Full report: https://novingly.com/scan/9f52a5c8-a7a6-44a1-9265-cb84dfa55bcb
Addressing the subprocess in
src/browser.jsis the highest-value fix — that single change removes the critical finding and should push the score into the 70s. Thefs_writeindemo.jsis lower priority but worth scoping to a named output directory. We're launching on HN Tuesday — if a "Verified by Novingly" badge would be worth $10/mo to you after patching, reply here or drop your email at novingly.com. No pressure.