A
100/100 First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
2
Score
100/100
LOW 2
Findings (2)
LOW
Non-localhost remote MCP server URL
L22 Detects MCP server configurations connecting to non-localhost remote URLs
"url": "https://github.com/k2-fsa/sherpa-onnx/releases/download/tts-models/vits-piper-en_GB-alan-medium.tar.bz2" FIX
Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.
FP?
Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).
LOW
Dynamic code evaluation
L61 Detects eval() or exec() used for dynamic code execution
exec(c FIX
Replace eval()/exec() with a safer alternative such as json.loads(), ast.literal_eval(), or a purpose-built parser.
FP?
Likely FP if the matched text contains 'exec' as part of a word (e.g., 'execute', 'execution') rather than an actual eval() or exec() call.