First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
2
Score
92/100
Findings (2)
Detects reads of sensitive system or credential files
cat ~/.configPrevent the tool from reading environment variables and sending them to external endpoints. If env access is needed, restrict it to specific variable names via an allowlist.
Likely FP if the match is documentation about how to configure environment variables, not code that reads and transmits them.
Detects global installation of packages which affects the host system
npm install -g @Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.
Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.