First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
3
Score
92/100
Findings (3)
Detects skills fetching external URLs to use as runtime instructions
curl -fsSL https://raw.githubusercontent.com + ConfigurationPin the downloaded resource to a specific version or commit hash, and verify its integrity with a checksum (SHA-256). Avoid fetching scripts or binaries from arbitrary URLs at runtime.
Likely FP if the download URL points to a well-known CDN or package registry (e.g., npmjs.com, pypi.org) and is pinned to a specific version.
Detects references to raw.githubusercontent.com on mutable branches like main/master
raw.githubusercontent.com/adinvadim/2captcha-cli/main/Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.
Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.
Detects URLs fetched at runtime that control or influence agent behavior without pinning
Get your API key at https:// + configAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.