First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
9
Score
38/100
Findings (9)
Detects references to private/internal IP ranges in URL context
http://192.168.1.50:Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.
Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.
Detects references to private/internal IP ranges in URL context
http://192.168.1.138:Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.
Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.
Detects references to private/internal IP ranges in URL context
http://192.168.1.50:Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.
Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.
Detects references to private/internal IP ranges in URL context
http://192.168.1.138:Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.
Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.
Detects references to private/internal IP ranges in URL context
http://192.168.1.50:Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.
Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.
Detects references to private/internal IP ranges in URL context
http://192.168.1.50:Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.
Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.
Detects hardcoded API keys, tokens, or passwords in MCP server environment configuration
"env": { + "JF_API_KEY": "your-jellyfin-api-key"Remove shell metacharacters (semicolons, pipes, ampersands, backticks) from MCP server arguments. Use explicit argument arrays and avoid shell expansion in MCP configurations.
Likely FP if the metacharacter is a literal part of a non-shell argument (e.g., a regex pattern or a URL query parameter containing ampersands).
Detects system-level package installation via brew, apt, yum, or dnf
apt install aPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.
Detects system-level package installation via brew, apt, yum, or dnf
apt install aPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.