kleo-static-files

clawhub:kleo-static-files

View source

69/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

69/100

HIGH 1

MEDIUM 2

LOW 2

Findings (5)

HIGH

Curl or wget piped to shell EXTDL_013

external-download L157

Detects downloading scripts piped directly to a shell interpreter

curl http://localhost:3000/health
```

### "Invalid API key"
```bash
# Verify key is set
echo $SF_API_KEY

# Create new key if needed
bun run /opt/kleo-static-files/scripts/create-key.ts "new-key"
```...

FIX

Download the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.

FP?

Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.

MEDIUM

Privilege escalation SUPPLY_007

supply-chain L195

Detects privilege escalation patterns like setuid, chown root, or sudo with shell commands

sudo bash

FIX

Avoid depending on packages that could be subject to typosquatting or name confusion. Verify package ownership, check download counts, and audit the package source before adding dependencies.

FP?

Likely FP if the flagged package is a well-known, high-download-count package from a verified publisher.

MEDIUM

Runtime URL controls agent behavior EXTDL_001

external-download L195

Detects skills fetching external URLs to use as runtime instructions

curl -fsSL https://raw.githubusercontent.com + Commands

FIX

Pin the downloaded resource to a specific version or commit hash, and verify its integrity with a checksum (SHA-256). Avoid fetching scripts or binaries from arbitrary URLs at runtime.

FP?

Likely FP if the download URL points to a well-known CDN or package registry (e.g., npmjs.com, pypi.org) and is pinned to a specific version.

LOW

Chained shell command execution CMDEXEC_012

command-execution L157

Detects chained commands using shell operators with dangerous operations

curl http://localhost:3000/health
```

### "Invalid API key"
```bash
# Verify key is set
echo $SF_API_KEY

# Create new key if needed
bun run /opt/kleo-static-files/scripts/create-key.ts "new-key"
```...

FIX

Break chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.

FP?

Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.

LOW

Mutable GitHub raw content reference THIRDPARTY_002

third-party-content L195

Detects references to raw.githubusercontent.com on mutable branches like main/master

raw.githubusercontent.com/498AS/kleo-static-files/main/

FIX

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

FP?

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.