bocha-skill

clawhub:bocha-skill

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

100/100

LOW 2

Findings (2)

LOW

Hardcoded secrets in MCP env block MCPCFG_003

mcp-config L46

Detects hardcoded API keys, tokens, or passwords in MCP server environment configuration

"env": { + "apiKey": "your-bocha-api-key-here"

FIX

Remove shell metacharacters (semicolons, pipes, ampersands, backticks) from MCP server arguments. Use explicit argument arrays and avoid shell expansion in MCP configurations.

FP?

Likely FP if the metacharacter is a literal part of a non-shell argument (e.g., a regex pattern or a URL query parameter containing ampersands).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L136

Detects MCP server configurations connecting to non-localhost remote URLs

"url": "https://example.com/article"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).