A
100/100 First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
2
Score
100/100
LOW 2
Findings (2)
LOW
Base64 encode and send
L51 Detects base64 encoding of content followed by transmission
btoa + curl FIX
Block patterns that base64-encode data and immediately transmit it. If base64 encoding is needed, ensure the encoded data does not contain secrets and destinations are allowlisted.
FP?
Likely FP if base64 encoding is used for legitimate purposes like encoding images for display or constructing data URIs, with no network transmission.
LOW
JWT token
L233 Detects JWT tokens
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c FIX
Remove hardcoded JWT tokens from the skill definition. Generate tokens dynamically at runtime and set appropriate expiration times.
FP?
Likely FP if the matched text is a documentation example showing JWT structure with clearly fake values, or an expired demo token.