First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
17
Score
0/100
Findings (17)
Detects patterns of downloading and piping to shell execution
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | shDownload the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.
Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.
Detects downloading scripts piped directly to a shell interpreter
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | shDownload the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.
Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.
Detects skills fetching external URLs to use as runtime instructions
curl -sSfL https://raw.githubusercontent.com + configurationPin the downloaded resource to a specific version or commit hash, and verify its integrity with a checksum (SHA-256). Avoid fetching scripts or binaries from arbitrary URLs at runtime.
Likely FP if the download URL points to a well-known CDN or package registry (e.g., npmjs.com, pypi.org) and is pinned to a specific version.
Detects downloading scripts piped directly to a shell interpreter
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | shDownload the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.
Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.
Detects patterns of downloading and piping to shell execution
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | shDownload the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.
Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.
Detects reading files piped directly to network commands
type checking phase
Solution:
1. Temporarily disable complex linters that require type checking
2. Use `--fast` flag for quicker, less intensive checks
3. Verify all imports are properly declared
## ...Restrict file uploads to user-initiated actions with explicit confirmation. Block programmatic upload of sensitive files (keys, configs, credentials) to external services.
Likely FP if the skill is a file-sharing tool where uploading is the documented core feature and destinations are user-configured.
Code block labeled "markdown" contains executable content
name: Code Quality
on:
push:
branches: [ main, master ]
pull_request:
branches: [ main, master ]
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
...Align the tool description with what the code actually does. If the description says one thing but the code does another, update the description to be accurate or fix the code.
Likely FP if the NLP analyzer misinterpreted technical jargon or the description accurately describes behavior through domain-specific terminology.
Detects downloading scripts piped directly to a shell interpreter
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | shDownload the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.
Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.
Detects patterns of downloading and piping to shell execution
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | shDownload the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.
Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.
Detects downloading binary, archive, or installer files from remote URLs
curl -L https://golang.org/dl/go1.21.5.linux-amd64.tar.gzVerify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.
Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.
Detects references to raw.githubusercontent.com on mutable branches like main/master
raw.githubusercontent.com/golangci/golangci-lint/master/Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.
Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.
Detects chained commands using shell operators with dangerous operations
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | shBreak chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.
Detects go install fetching and compiling arbitrary Go packages
go install github.com/golangci/golangci-lint/cmd/golangci-lint@Pin Go install targets to a specific version (e.g., go install example.com/tool@v1.2.3). Avoid @latest as it fetches whatever is currently published.
Likely FP if the go install target is a well-known tool (e.g., golang.org/x/ packages) pinned to a specific version in documentation.
Detects references to raw.githubusercontent.com on mutable branches like main/master
raw.githubusercontent.com/golangci/golangci-lint/master/Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.
Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.
Detects chained commands using shell operators with dangerous operations
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | shBreak chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.
Detects chained commands using shell operators with dangerous operations
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | shBreak chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.
Detects references to raw.githubusercontent.com on mutable branches like main/master
raw.githubusercontent.com/golangci/golangci-lint/master/Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.
Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.