24konbini

clawhub:24konbini

View source

85/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

85/100

HIGH 1

LOW 1

Findings (2)

HIGH

Binary download and execute EXTDL_007

external-download L23

Detects downloading a binary file followed by making it executable

curl -s https://24konbin + ./a

FIX

Pin the download to a specific version tag or commit hash. Verify the downloaded file's checksum before using it. Avoid piping curl output directly to a shell.

FP?

Likely FP if downloading from an official, well-known domain (e.g., deno.land, rustup.rs) with HTTPS, though this pattern remains risky even with trusted sources.

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L937

Detects URLs fetched at runtime that control or influence agent behavior without pinning

Read the human guide: https:// + config

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.