First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
2
Score
50/100
Findings (2)
Text combines credential access with network transmission
Webhook URLs do not require the API key header.Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Detects common jailbreak prompt patterns
bypass securityRemove directives that attempt to exfiltrate data through the agent's response (e.g., asking the agent to embed credentials in URLs or include secret values in output).
Likely FP if the text is a legitimate tool instruction about displaying configuration to the user (e.g., show current settings) without external transmission.