SkillTotal

Is instructor safe?

No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Python shell/command execution
  • Python filesystem write/delete
  • Python filesystem read

instructor is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: filesystem read, filesystem write, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

instructor 1.15.4

python_package · pypi:instructor
LOW
0
/ 100 risk score
Snapshot · scanned Jul 7, 2026 · instructor@1.15.4 · engine 0.34.2 / ruleset 34

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of instructor's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
filesystem readfilesystem writenetwork egressshell execution

Findings (4)

HIGHPython shell/command executionST-SHELL-PY

The component can run operating-system commands or spawn processes.

result = subprocess.run(
            cmd, capture_output=True, text=True, cwd=Path(__file__).parent.parent
        )

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; avoid shell=True.

MEDIUMPython filesystem readST-FS-PY-READ

The component reads files from disk.

with open(file_path) as file:
with open(file_path_or_buffer) as f:
with open(file_path_or_buffer, "rb") as f:
with open(messages_file) as f:
with open(filepath, "rb") as file:
with open(file, "rb") as file_buffer:
with open(validation_file, "rb") as val_file:
data = base64.b64encode(path.read_bytes()).decode("utf-8")
data = base64.b64encode(path.read_bytes()).decode("utf-8")
data = base64.b64encode(path.read_bytes()).decode("utf-8")
content = file_path.read_text(encoding="utf-8")
with open(md_file, encoding="utf-8") as f:
content = file_path.read_text(encoding="utf-8")
content = file_path.read_text(encoding="utf-8")

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMPython filesystem write/deleteST-FS-PY-WRITE

The component writes or deletes files on disk.

with open(file_path_or_buffer, "a") as f:
with open(download_file_path, "w") as file:
with open(download_file_path, "w") as file:
with open(output_file, "w") as f:
with open(output_file, "w") as f:
with open(output, "wb") as file:
file_path.write_text(new_content, encoding="utf-8")
file_path.write_text(new_content, encoding="utf-8")
with open(md_file, "w", encoding="utf-8") as f:

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMPython network egressST-NET-PY

The component makes outbound network requests.

async with aiohttp.ClientSession() as session:
from urllib.parse import urlparse
response = requests.get(public_url, timeout=timeout)
response = requests.head(url, allow_redirects=True)
response = requests.get(public_url, timeout=timeout)
response = requests.get(public_url, timeout=timeout)
response = requests.head(url, allow_redirects=True)
name = Path(urlparse(self.source).path).name or "document"
pdf.data = requests.get(str(pdf.source)).content

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →