clawscan

Restrict file reading to the project directory and block outbound network calls that include file contents. Implement file path validation to prevent directory traversal.

Likely FP if the tool legitimately reads project files and displays them to the user locally, without sending data to external services.

Use execFile() or spawn() with explicit argument arrays instead of exec() with a shell string. Validate all inputs before passing to child_process methods.

Likely FP if the match is in a README code example or package.json script field that runs a well-known CLI tool (e.g., eslint, tsc).

Block access to git credentials, SSH keys, and repository tokens. If git operations are needed, use scoped deploy keys and restrict the tool to specific repositories.

Likely FP if the match is documentation about git configuration (e.g., setting up git credentials helper) rather than code that reads and transmits them.

Avoid depending on packages that could be subject to typosquatting or name confusion. Verify package ownership, check download counts, and audit the package source before adding dependencies.

Likely FP if the flagged package is a well-known, high-download-count package from a verified publisher.

Remove hidden directives embedded in markdown, HTML comments, or encoded text. All agent-facing text should be explicit and visible in the skill definition.

Likely FP if the match is a standard markdown formatting pattern or HTML comment used for documentation rather than concealing directives.

Add input validation between the user-controlled data source and the security-sensitive sink (e.g., file writes, command execution). Implement allowlisting for acceptable input patterns.

Likely FP if the user input passes through explicit validation or sanitization before reaching the sensitive operation, and the taint tracker missed the sanitization step.

Prevent credentials and sensitive data obtained by one MCP tool from being passed to other tools. Implement data isolation between tools and restrict cross-tool data flow for secrets.

Likely FP if the cross-tool data flow is intentional API authentication (e.g., a tool fetches an auth token that another tool uses for the same service).

Replace shell=True with shell=False and pass command arguments as a list. Validate and sanitize all inputs before passing to the shell.

Likely FP if the match is in documentation describing how subprocess works, or in a comment explaining shell risks rather than actual code.

Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.

Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.

Block patterns that base64-encode data and immediately transmit it. If base64 encoding is needed, ensure the encoded data does not contain secrets and destinations are allowlisted.

Likely FP if base64 encoding is used for legitimate purposes like encoding images for display or constructing data URIs, with no network transmission.

Replace eval()/exec() with a safer alternative such as json.loads(), ast.literal_eval(), or a purpose-built parser.

Likely FP if the matched text contains 'exec' as part of a word (e.g., 'execute', 'execution') rather than an actual eval() or exec() call.

Replace shell=True with shell=False and pass command arguments as a list. Validate and sanitize all inputs before passing to the shell.

Likely FP if the match is in documentation describing how subprocess works, or in a comment explaining shell risks rather than actual code.

Replace shell=True with shell=False and pass command arguments as a list. Validate and sanitize all inputs before passing to the shell.

Likely FP if the match is in documentation describing how subprocess works, or in a comment explaining shell risks rather than actual code.

Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.

Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.

Replace shell=True with shell=False and pass command arguments as a list. Validate and sanitize all inputs before passing to the shell.

Likely FP if the match is in documentation describing how subprocess works, or in a comment explaining shell risks rather than actual code.

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.