clawver-marketplace

clawhub:clawver-marketplace

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Unattended auto-update SUPPLY_011

supply-chain L35

Detects automatic package or skill updates via cron or scheduled tasks without verification

update --all

FIX

Avoid installing packages from private or unofficial registries specified in skill instructions. Verify the registry URL is legitimate and use scoped packages with registry configuration.

FP?

Likely FP if the private registry is a well-known enterprise registry (e.g., GitHub Packages, Artifactory) documented in the project setup.

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L277

Detects MCP server configurations connecting to non-localhost remote URLs

"url": "https://your-server.com/claw-webhook"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).