moneydevkit

clawhub:moneydevkit

View source

84/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

84/100

MEDIUM 2

LOW 1

Findings (3)

MEDIUM

MCP server auto-registration EXTDL_006

external-download L36

Detects automatic registration of MCP servers into agent configuration

claude mcp add

FIX

Pin the curl/wget download to a specific URL with version and verify the downloaded file's SHA-256 checksum before using it. Prefer package manager installs over raw downloads.

FP?

Likely FP if the download is from a well-known canonical source (e.g., official GitHub release) and the documentation includes checksum verification steps.

MEDIUM

MCP server auto-registration EXTDL_006

external-download L41

Detects automatic registration of MCP servers into agent configuration

claude mcp add

FIX

Pin the curl/wget download to a specific URL with version and verify the downloaded file's SHA-256 checksum before using it. Prefer package manager installs over raw downloads.

FP?

Likely FP if the download is from a well-known canonical source (e.g., official GitHub release) and the documentation includes checksum verification steps.

LOW

Unverified npx package execution EXTDL_008

external-download L46

Detects npx executing packages from unverified sources without pinned versions

npx @moneydevkit/create

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.