SkillTotal

Is semantic-kernel safe?

No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Python dynamic code execution
  • Python filesystem read
  • Python network egress

semantic-kernel is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: dynamic code execution, filesystem read, filesystem write and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

semantic-kernel 1.44.0

python_package · pypi:semantic-kernel
LOW
0
/ 100 risk score
Snapshot · scanned Jul 7, 2026 · semantic-kernel@1.44.0 · engine 0.34.2 / ruleset 34

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of semantic-kernel's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
dynamic code executionfilesystem readfilesystem writenetwork egress

Findings (4)

HIGHPython dynamic code executionST-DYN-PY

The code turns strings into live code at runtime (eval / new Function / exec).

self._template_compiler = Compiler().compile(self.prompt_template_config.template)

Why it matters: If those strings aren't fixed and trusted, they become a way to run arbitrary code.

Fix: Avoid evaluating dynamically constructed code; if unavoidable, ensure the input is a trusted constant and never derived from external data.

MEDIUMPython filesystem readST-FS-PY-READ

The component reads files from disk.

with open(file_path, encoding=encoding) as f:
"private_key": Path(self.client_cert_path).read_text(),
with open(path, "rb") as audio_file:
with open(path, "rb") as image_file:
with open(config_path, encoding=encoding) as config_file:
with open(prompt_path, encoding=encoding) as prompt_file:
with open(object, encoding=encoding) as file:

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMPython filesystem write/deleteST-FS-PY-WRITE

The component writes or deletes files on disk.

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMPython network egressST-NET-PY

The component makes outbound network requests.

from urllib.parse import quote_plus
self.filters.append({field: quote_plus(value)})
from httpx import AsyncClient, HTTPStatusError, RequestError
async with AsyncClient(timeout=5) as client:
from urllib.parse import quote_plus
from httpx import AsyncClient, HTTPStatusError, RequestError
async with AsyncClient(timeout=5) as client:
return f"?q={quote_plus(query)}&{'&'.join(f'{k}={v}' for k, v in params.items())}"
self._session = session if session else aiohttp.ClientSession()
from urllib.parse import ParseResult, ParseResultBytes, quote, unquote, urlencode, urljoin, urlparse, urlunparse
return urlunparse(parsed_base._replace(path=full_path))

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →