hookaido

clawhub:hookaido

View source

85/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

85/100

HIGH 1

LOW 2

Findings (3)

HIGH

Localhost bypass SSRF_006

ssrf-cloud L28

Detects alternative representations of localhost used to bypass SSRF filters

curl http://127.0.0.1:

FIX

Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.

FP?

Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L4

Detects MCP server configurations connecting to non-localhost remote URLs

"url":"https://github.com/nuetzliches/hookaido/releases/download/v1.5.0/hookaido_v1.5.0_darwin_amd64.tar.gz"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Shell script file execution CMDEXEC_013

command-execution L19

Detects execution of shell script files via bash/sh command or direct invocation

bash {baseDir}/scripts/install_hookaido.sh

FIX

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

FP?

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.