First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
3
Score
100/100
Findings (3)
Detects pip install of arbitrary packages that modify the host environment
pip install rePin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects instructions to modify shell config files for environment persistence
Add to ~/.zshrc or ~/.bashrcAvoid modifying shell profiles (.bashrc, .zshrc, .profile) programmatically. Instruct users to add PATH entries manually, or use a version manager (nvm, pyenv) instead.
Likely FP if the match is documentation showing how to add a tool to PATH manually, especially if it only appends to PATH without modifying other settings.
Detects URLs fetched at runtime that control or influence agent behavior without pinning
Get API Key: https:// + PromptAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.