nanoleaf

clawhub:nanoleaf

View source

77/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

77/100

HIGH 1

MEDIUM 1

Findings (2)

HIGH

Shell metacharacters in MCP config args MCPCFG_002

mcp-config L5

Detects shell metacharacters (pipes, backticks, subshells) in MCP server command arguments

"command":"curl -sL https://github.com/tessro/picoleaf/releases/latest/download/picoleaf_1.4.0_linux_amd64.tar.gz |

FIX

Remove credentials (API keys, tokens, passwords) from MCP server configuration. Use environment variable references (e.g., ${API_KEY}) or a secrets manager instead of inline values.

FP?

Likely FP if the credential value is a placeholder (e.g., your-api-key-here, sk_test_xxx) in example configuration.

MEDIUM

Download binary or archive from URL EXTDL_016

external-download L5

Detects downloading binary, archive, or installer files from remote URLs

curl -sL https://github.com/tessro/picoleaf/releases/latest/download/picoleaf_1.4.0_linux_amd64.tar.gz

FIX

Verify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.

FP?

Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.