First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
17
Score
0/100
Findings (17)
Detects alternative representations of localhost used to bypass SSRF filters
http://[::1]Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.
Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.
Detects alternative representations of localhost used to bypass SSRF filters
http://[::1]Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.
Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.
Detects alternative representations of localhost used to bypass SSRF filters
http://[::1]Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.
Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.
Detects alternative representations of localhost used to bypass SSRF filters
http://[::1]Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.
Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.
Detects alternative representations of localhost used to bypass SSRF filters
http://[::1]Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.
Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.
Detects API keys or tokens exposed in shell export commands
export BEEPER_TOKEN="your-token-from-beeper-settings"Remove credentials from shell export statements. Use a .env file (excluded from version control) or a secrets manager, and load secrets at runtime.
Likely FP if the export line uses a placeholder value (e.g., export API_KEY=your-key-here) or is in documentation describing environment setup.
Detects alternative representations of localhost used to bypass SSRF filters
http://[::1]Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.
Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.
Detects alternative representations of localhost used to bypass SSRF filters
http://[::1]Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.
Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.
Detects API keys or tokens exposed in shell export commands
export BEEPER_TOKEN="your-bearer-token-from-beeper-desktop"Remove credentials from shell export statements. Use a .env file (excluded from version control) or a secrets manager, and load secrets at runtime.
Likely FP if the export line uses a placeholder value (e.g., export API_KEY=your-key-here) or is in documentation describing environment setup.
Detects alternative representations of localhost used to bypass SSRF filters
http://[::1]Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.
Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.
Detects references to private/internal IP ranges in URL context
http://192.168.1.100:Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.
Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.
Detects references to private/internal IP ranges in URL context
http://192.168.1.100:Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.
Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.
Detects execution of shell script files via bash/sh command or direct invocation
bash
~/clawd/skills/beeper-api-cli/beeper.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects execution of shell script files via bash/sh command or direct invocation
bash
~/clawd/skills/beeper-api-cli/beeper.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects execution of shell script files via bash/sh command or direct invocation
bash
BEEPER="$HOME/clawd/skills/beeper-api-cli/beeper.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects execution of shell script files via bash/sh command or direct invocation
bash
BEEPER="$HOME/clawd/skills/beeper-api-cli/beeper.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects execution of shell script files via bash/sh command or direct invocation
bash
BEEPER="$HOME/clawd/skills/beeper-api-cli/beeper.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.