First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
4
Score
61/100
Findings (4)
Detects patterns indicating sensitive data being sent to external services
send the key toRestrict file reading to the project directory and block outbound network calls that include file contents. Implement file path validation to prevent directory traversal.
Likely FP if the tool legitimately reads project files and displays them to the user locally, without sending data to external services.
Detects webhook URLs commonly used for data exfiltration
https://webhook.siteRemove or restrict the ability to read sensitive files (e.g., /etc/passwd, ~/.ssh/*, browser profiles) and transmit their contents over the network. Add file access controls.
Likely FP if the match is in documentation explaining what files the tool accesses for legitimate purposes (e.g., reading SSH config for connection setup).
Detects attempts to read and transmit environment variables
process.env.ANTHROPIC_API_KEY then fetch(Validate that HTTP requests only send intended data. Block requests that embed file contents, environment variables, or credentials in URL parameters or request bodies to unknown hosts.
Likely FP if the matched text is an environment variable name that contains an HTTP verb (e.g., process.env.POST_URL) rather than an exfiltration pattern.
Detects webhook URLs commonly used for data exfiltration
https://webhook.siteRemove or restrict the ability to read sensitive files (e.g., /etc/passwd, ~/.ssh/*, browser profiles) and transmit their contents over the network. Add file access controls.
Likely FP if the match is in documentation explaining what files the tool accesses for legitimate purposes (e.g., reading SSH config for connection setup).