First Seen
Feb 19, 2026
Last Scanned
Feb 22, 2026
Findings
2
Score
75/100
Findings (2)
Text combines credential access with network transmission
API keys, tokens, webhook URLsRemove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Detects execution of shell script files via bash/sh command or direct invocation
bash scripts/healthcheck.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.