First Seen
Feb 20, 2026
Last Scanned
Feb 22, 2026
Findings
10
Score
92/100
Findings (10)
Detects patterns that check for tool existence and install if missing
If this check fails: inform the user and abort. Message: "Helper script not available. Please run `npm installReplace conditional download-and-install logic with explicit dependency declarations in a manifest file (package.json, requirements.txt). Verify checksums for any runtime downloads.
Likely FP if the conditional install is documentation showing standard prerequisite checks (e.g., checking if a tool is installed before installing it).
Detects npx with -y flag that bypasses user confirmation for package installation
npx -y Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.
Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.
Detects skills that include unscoped Bash in their allowed tools list (not Bash(cmd:*) scoped)
allowed-tools: Bash
Scope the Bash tool to specific commands using allowedTools patterns (e.g., Bash(git *) instead of bare Bash). Remove blanket Bash access from allowed_tools lists.
Likely FP if the Bash entry in allowed_tools is part of a constrained configuration that limits commands elsewhere (e.g., via system prompt restrictions).
Detects npx with -y flag that bypasses user confirmation for package installation
npx -y Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.
Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.
Detects npx with -y flag that bypasses user confirmation for package installation
npx -y Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.
Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.
Detects npx with -y flag that bypasses user confirmation for package installation
npx -y Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.
Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.
Detects npx with -y flag that bypasses user confirmation for package installation
npx -y Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.
Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.
Detects npx with -y flag that bypasses user confirmation for package installation
npx -y Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.
Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.
Detects npx with -y flag that bypasses user confirmation for package installation
npx -y Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.
Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.
Detects npx with -y flag that bypasses user confirmation for package installation
npx -y Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.
Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.