moltymillions

clawhub:moltymillions

View source

85/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

85/100

HIGH 1

LOW 1

Findings (2)

HIGH

Data transmission pattern EXFIL_003

exfiltration L257

Detects patterns indicating sensitive data being sent to external services

Send tokens to

FIX

Restrict file reading to the project directory and block outbound network calls that include file contents. Implement file path validation to prevent directory traversal.

FP?

Likely FP if the tool legitimately reads project files and displays them to the user locally, without sending data to external services.

LOW

Hardcoded secrets in MCP env block MCPCFG_003

mcp-config L534

Detects hardcoded API keys, tokens, or passwords in MCP server environment configuration

"env": { + "tokenAddress": "0xc6e0324D7DC85DA7eA59884Cc590fFD7bd1e0b07"

FIX

Remove shell metacharacters (semicolons, pipes, ampersands, backticks) from MCP server arguments. Use explicit argument arrays and avoid shell expansion in MCP configurations.

FP?

Likely FP if the metacharacter is a literal part of a non-shell argument (e.g., a regex pattern or a URL query parameter containing ampersands).