github-api

clawhub:github-api

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Base64 encode and send EXFIL_009

exfiltration L262

Detects base64 encoding of content followed by transmission

Base64 encode + fetch(

FIX

Block patterns that base64-encode data and immediately transmit it. If base64 encoding is needed, ensure the encoded data does not contain secrets and destinations are allowlisted.

FP?

Likely FP if base64 encoding is used for legitimate purposes like encoding images for display or constructing data URIs, with no network transmission.

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L109

Detects MCP server configurations connecting to non-localhost remote URLs

"url": "https://connect.maton.ai/?session_token=..."

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).