birdfolio

clawhub:birdfolio

View source

92/100

First Seen

Feb 19, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Screenshot or screen capture with transmission EXFIL_015

exfiltration L196

Detects screenshot/screen capture tools combined with upload or transmission

Screenshot + Upload to Cloud

FIX

Block the ability to read and transmit contents of configuration files (.env, config.json, settings.yaml). Implement file path validation to prevent access to sensitive config files.

FP?

Likely FP if the skill reads config files to configure itself locally without transmitting the contents externally.

LOW

External API response used without validation THIRDPARTY_004

third-party-content L209

Detects patterns where external API responses are used directly without validation or sanitization

API (use the `id` from the log_sighting output + without a path, use

FIX

Validate and sanitize all data received from external APIs before using it in tool operations or agent prompts. Implement schema validation and treat API responses as untrusted input.

FP?

Likely FP if the match is a truncated table cell or documentation fragment that mentions API responses in a descriptive context, not actual unvalidated data processing.