First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
4
Score
70/100
Findings (4)
Detects PEM-encoded private keys
-----BEGIN OPENSSH PRIVATE KEY-----Remove the private key block from the skill definition. Store private keys in a secrets manager or encrypted volume and reference them via environment variables.
Likely FP if the match is a documentation example showing the format of a PEM block without a real key body.
Detects reads of sensitive system or credential files
cat /etc/passwdPrevent the tool from reading environment variables and sending them to external endpoints. If env access is needed, restrict it to specific variable names via an allowlist.
Likely FP if the match is documentation about how to configure environment variables, not code that reads and transmits them.
Detects pip install of arbitrary packages that modify the host environment
pip install anPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects system-level package installation via brew, apt, yum, or dnf
brew install aPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.