First Seen
Feb 19, 2026
Last Scanned
Feb 22, 2026
Findings
14
Score
69/100
Findings (14)
Detects instructions to decode and execute base64 content
BASE64` + `ACTP_KEY_PASSWORD` (for Docker/Railway/serverlessRemove text that simulates multi-turn conversations or fake user/assistant message pairs. These patterns attempt to manipulate the agent by fabricating conversation history.
Likely FP if the matched text is documentation showing example conversations or API request/response formats for illustration purposes.
Detects instructions to decode and execute base64 content
BASE64 (base64-encoded keystore — for Docker/Railway/serverlessRemove text that simulates multi-turn conversations or fake user/assistant message pairs. These patterns attempt to manipulate the agent by fabricating conversation history.
Likely FP if the matched text is documentation showing example conversations or API request/response formats for illustration purposes.
Detects instructions to decode and execute base64 content
base64-encoded keystore for containerized/serverlessRemove text that simulates multi-turn conversations or fake user/assistant message pairs. These patterns attempt to manipulate the agent by fabricating conversation history.
Likely FP if the matched text is documentation showing example conversations or API request/response formats for illustration purposes.
Detects pip install of arbitrary packages that modify the host environment
pip install agPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects pip install of arbitrary packages that modify the host environment
pip install agPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects npx executing packages from unverified sources without pinned versions
npx @agirails/sdk Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @agirails/sdk Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects hardcoded API keys, tokens, or passwords in MCP server environment configuration
"env": { + "ACTP_KEY_PASSWORD": "your-keystore-password"Remove shell metacharacters (semicolons, pipes, ampersands, backticks) from MCP server arguments. Use explicit argument arrays and avoid shell expansion in MCP configurations.
Likely FP if the metacharacter is a literal part of a non-shell argument (e.g., a regex pattern or a URL query parameter containing ampersands).
Detects pip install of arbitrary packages that modify the host environment
pip install agPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects MCP server configurations connecting to non-localhost remote URLs
"url": "https://your-agent-endpoint.com"Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.
Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).
Detects pip install of arbitrary packages that modify the host environment
pip install agPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects execution of shell script files via bash/sh command or direct invocation
bash {baseDir}/scripts/setup.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects patterns where external API responses are used directly without validation or sanitization
Endpoint | Purpose | Data + without `actp init`. If you useValidate and sanitize all data received from external APIs before using it in tool operations or agent prompts. Implement schema validation and treat API responses as untrusted input.
Likely FP if the match is a truncated table cell or documentation fragment that mentions API responses in a descriptive context, not actual unvalidated data processing.
Detects pip install of arbitrary packages that modify the host environment
pip install agPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.