First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
4
Score
92/100
Findings (4)
Detects patterns that check for tool existence and install if missing
If `context-builder` is not installed, install with `cargo installReplace conditional download-and-install logic with explicit dependency declarations in a manifest file (package.json, requirements.txt). Verify checksums for any runtime downloads.
Likely FP if the conditional install is documentation showing standard prerequisite checks (e.g., checking if a tool is installed before installing it).
Detects cargo install or gem install fetching packages from remote registries
cargo install cPin Cargo/Gem packages to specific versions (e.g., cargo install tool@0.1.0, gem install tool -v 1.2.3). Use lock files for reproducibility.
Likely FP if the matched text is a very short fragment (3 words or fewer) or uses placeholder package names.
Detects URLs fetched at runtime that control or influence agent behavior without pinning
download from [GitHub Releases](https:// + rulesAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.
Detects cargo install or gem install fetching packages from remote registries
cargo install cPin Cargo/Gem packages to specific versions (e.g., cargo install tool@0.1.0, gem install tool -v 1.2.3). Use lock files for reproducibility.
Likely FP if the matched text is a very short fragment (3 words or fewer) or uses placeholder package names.