flightclaw

clawhub:flightclaw

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 2

Findings (3)

MEDIUM

MCP server auto-registration EXTDL_006

external-download L91

Detects automatic registration of MCP servers into agent configuration

claude mcp add

FIX

Pin the curl/wget download to a specific URL with version and verify the downloaded file's SHA-256 checksum before using it. Prefer package manager installs over raw downloads.

FP?

Likely FP if the download is from a well-known canonical source (e.g., official GitHub release) and the documentation includes checksum verification steps.

LOW

Shell script file execution CMDEXEC_013

command-execution L19

Detects execution of shell script files via bash/sh command or direct invocation

bash skills/flightclaw/setup.sh

FIX

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

FP?

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.

LOW

pip install arbitrary package EXTDL_009

external-download L90

Detects pip install of arbitrary packages that modify the host environment

pip install fl

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.