Is semantic-kernel safe?
- Python dynamic code execution
- Python filesystem read
- Python network egress
semantic-kernel is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: dynamic code execution, filesystem read, filesystem write and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).
semantic-kernel 1.44.0
Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of semantic-kernel's authors. Report a false positive.
Findings (4)
The code turns strings into live code at runtime (eval / new Function / exec).
self._template_compiler = Compiler().compile(self.prompt_template_config.template)
Why it matters: If those strings aren't fixed and trusted, they become a way to run arbitrary code.
Fix: Avoid evaluating dynamically constructed code; if unavoidable, ensure the input is a trusted constant and never derived from external data.
The component reads files from disk.
with open(file_path, encoding=encoding) as f:
"private_key": Path(self.client_cert_path).read_text(),
pem_bytes = Path(cert_path).read_bytes()
with open(json_gen_ai_config) as file:
with open(settings.filename, "rb") as audio_file:
with open(path, "rb") as audio_file:
data = path.read_bytes()
with open(file_path) as file:
with open(path, "rb") as image_file:
with open(validated_path, "rb") as data:
with open(config_path, encoding=encoding) as config_file:
with open(prompt_path, encoding=encoding) as prompt_file:
with open(object, encoding=encoding) as file:
with open(file_path, encoding=encoding) as f:
Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.
Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.
The component writes or deletes files on disk.
with open(path, "wb") as file:
with open(file_path, "w") as local_file:
with open(validated_path, "wb") as f:
Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.
Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.
The component makes outbound network requests.
from urllib.parse import quote_plus
self.filters.append({field: quote_plus(value)})from aiohttp import ClientSession
ClientSession() as session,
ClientSession() as session,
from aiohttp import ClientSession
ClientSession() as session,
from httpx import AsyncClient, HTTPStatusError, RequestError
async with AsyncClient(timeout=5) as client:
from urllib.parse import quote_plus
from httpx import AsyncClient, HTTPStatusError, RequestError
async with AsyncClient(timeout=5) as client:
return f"?q={quote_plus(query)}&{'&'.join(f'{k}={v}' for k, v in params.items())}"self._session = session if session else aiohttp.ClientSession()
from urllib.parse import ParseResult, ParseResultBytes, quote, unquote, urlencode, urljoin, urlparse, urlunparse
parsed_base = urlparse(base_url)
full_path = urljoin(base_path, path.lstrip("/"))return urlunparse(parsed_base._replace(path=full_path))
request_url = urljoin(server_url, path.lstrip("/"))server = urlparse(server_url)
Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →