disclaw

clawhub:disclaw

View source

85/100

First Seen

Feb 20, 2026

Last Scanned

Feb 20, 2026

Findings

Score

85/100

HIGH 1

LOW 1

Findings (2)

HIGH

Localhost bypass SSRF_006

ssrf-cloud L212

Detects alternative representations of localhost used to bypass SSRF filters

curl http://127.0.0.1:

FIX

Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.

FP?

Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.

LOW

Global package installation EXTDL_004

external-download L20

Detects global installation of packages which affects the host system

npm install -g @

FIX

Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.

FP?

Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.