First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
9
Score
100/100
Findings (9)
Detects pip install of arbitrary packages that modify the host environment
pip install piPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects patterns that check for tool existence and install if missing
If pip-audit not installed: pip installReplace conditional download-and-install logic with explicit dependency declarations in a manifest file (package.json, requirements.txt). Verify checksums for any runtime downloads.
Likely FP if the conditional install is documentation showing standard prerequisite checks (e.g., checking if a tool is installed before installing it).
Detects patterns that check for tool existence and install if missing
If not installed: cargo installReplace conditional download-and-install logic with explicit dependency declarations in a manifest file (package.json, requirements.txt). Verify checksums for any runtime downloads.
Likely FP if the conditional install is documentation showing standard prerequisite checks (e.g., checking if a tool is installed before installing it).
Detects cargo install or gem install fetching packages from remote registries
cargo install cPin Cargo/Gem packages to specific versions (e.g., cargo install tool@0.1.0, gem install tool -v 1.2.3). Use lock files for reproducibility.
Likely FP if the matched text is a very short fragment (3 words or fewer) or uses placeholder package names.
Detects patterns that check for tool existence and install if missing
If not installed: cargo installReplace conditional download-and-install logic with explicit dependency declarations in a manifest file (package.json, requirements.txt). Verify checksums for any runtime downloads.
Likely FP if the conditional install is documentation showing standard prerequisite checks (e.g., checking if a tool is installed before installing it).
Detects cargo install or gem install fetching packages from remote registries
cargo install cPin Cargo/Gem packages to specific versions (e.g., cargo install tool@0.1.0, gem install tool -v 1.2.3). Use lock files for reproducibility.
Likely FP if the matched text is a very short fragment (3 words or fewer) or uses placeholder package names.
Detects pip install of arbitrary packages that modify the host environment
pip install piPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects pip install of arbitrary packages that modify the host environment
pip install piPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects cargo install or gem install fetching packages from remote registries
cargo install cPin Cargo/Gem packages to specific versions (e.g., cargo install tool@0.1.0, gem install tool -v 1.2.3). Use lock files for reproducibility.
Likely FP if the matched text is a very short fragment (3 words or fewer) or uses placeholder package names.