SkillTotal

Is NumPy safe?

No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Python shell/command execution
  • Python dynamic code execution
  • Possible command injection (shell + dynamic command)

numpy is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 6 risky constructs are reported for review. It can: dynamic code execution, filesystem read, filesystem write, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 20/100 (low).

numpy 2.5.1

python_package · pypi:numpy
LOW
20
/ 100 risk score
Snapshot · scanned Jul 5, 2026 · numpy@2.5.1 · engine 0.32.0 / ruleset 30

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of NumPy's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
dynamic code executionfilesystem readfilesystem writenetwork egressshell execution

Findings (6)

HIGHPossible command injection (shell + dynamic command)ST-CMDI-PY

The code builds an OS command out of values that can change at runtime, then runs it through a shell.

rc = subprocess.check_call("./scripts/bench-compare.sh '%s' '%s' '%d'" % (baseline, contender, repeatnum), shell=True)
rc = subprocess.check_call("./scripts/branch-compare.sh '%s' '%d'" % (branch, repeatnum), shell=True)
rc = subprocess.check_call("./scripts/branch-compare.sh '%s' '%s' '%d'" % (branch, args.filter, repeatnum), shell=True)
os.system(f"cp {notes} {target_rst}")

Why it matters: If any of those values come from untrusted input, an attacker can run their own commands on the machine.

Fix: Pass arguments as a list without shell=True (e.g. subprocess.run(['git', 'checkout', branch])); never build a shell string from external input. If a shell is unavoidable, quote with shlex.quote.

HIGHPython dynamic code executionST-DYN-PY

The code turns strings into live code at runtime (eval / new Function / exec).

value = eval(code, self.default_namespace, ns)
exec(code, self.default_namespace, ns)

Why it matters: If those strings aren't fixed and trusted, they become a way to run arbitrary code.

Fix: Avoid evaluating dynamically constructed code; if unavoidable, ensure the input is a trusted constant and never derived from external data.

HIGHPython shell/command executionST-SHELL-PY

The component can run operating-system commands or spawn processes.

p = subprocess.run(cmd, check=True, capture_output=True, text=True)
res = run(['gcc', '-v'], check=True, text=True, capture_output=True)
p = subprocess.Popen(
            ['git', '-c', 'log.showSignature=false', 'log', '-1', '--format="%H %aI"'],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            cwd=os.path.dirname(__file__),
        )
rc = subprocess.check_call("./scripts/bench-compare.sh '%s' '%s' '%d'" % (baseline, contender, repeatnum), shell=True)
rc = subprocess.check_call("./scripts/branch-compare.sh '%s' '%d'" % (branch, repeatnum), shell=True)
rc = subprocess.check_call("./scripts/branch-compare.sh '%s' '%s' '%d'" % (branch, args.filter, repeatnum), shell=True)
subprocess.run(command, cwd=cwd, check=True)

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; avoid shell=True.

MEDIUMPython filesystem readST-FS-PY-READ

The component reads files from disk.

with open(template_name, "rb") as f:
f_ctx = open(
                os.fspath(filename),
                ('r' if mode == 'c' else mode) + 'b'
            )
ctx = open(os.fspath(fd), 'rb')
with open(filename, encoding=encoding, errors=errors, newline="") as fp:

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMPython filesystem write/deleteST-FS-PY-WRITE

The component writes or deletes files on disk.

with open(outfile, 'w') as f:
with open(local, "wt", encoding="utf8") as fid:
with open(pkg_config_fname, "wt", encoding="utf8") as fid:
with open(outfile, 'w') as f:
with open(outfile, 'w') as f:
with open(options.output, "wb") as f:
ctx = open(os.fspath(file), "wb")
with open(filename, "w", encoding=encoding, errors=errors, newline="") as fp:

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMPython network egressST-NET-PY

The component makes outbound network requests.

urllib.request.urlretrieve(PYTHONCAPI_COMPAT_URL, target)
from urllib.parse import urlparse
scheme, netloc, upath, uparams, uquery, ufrag = urlparse(path)
from urllib.request import urlopen
with urlopen(path) as openedurl:
from urllib.parse import urlparse
scheme, netloc, upath, uparams, uquery, ufrag = urlparse(path)
from urllib.error import URLError
from urllib.request import urlopen

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →