monolith

clawhub:monolith

View source

92/100

First Seen

Feb 19, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 2

Findings (3)

MEDIUM

Download binary or archive from URL EXTDL_016

external-download L6

Detects downloading binary, archive, or installer files from remote URLs

Download Monolith Companion (macOS app zip)","url":"https://github.com/slaviquee/monolith/releases/download/v0.1.3/MonolithCompanion.app.zip

FIX

Verify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.

FP?

Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L6

Detects URLs fetched at runtime that control or influence agent behavior without pinning

Download Monolith Companion (macOS app zip)","url":"https:// + config

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L6

Detects MCP server configurations connecting to non-localhost remote URLs

"url":"https://github.com/slaviquee/monolith/releases/download/v0.1.3/MonolithDaemon-v0.1.3.pkg"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).