openfleet

clawhub:openfleet

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

100/100

LOW 3

Findings (3)

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L22

Detects URLs fetched at runtime that control or influence agent behavior without pinning

Get your API key from the [OpenFleet Dashboard](https:// + Settings

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.

LOW

Unverified npx package execution EXTDL_008

external-download L111

Detects npx executing packages from unverified sources without pinned versions

npx @open-fleet/mcp-server

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

npx auto-install without confirmation EXTDL_003

external-download L118

Detects npx with -y flag that bypasses user confirmation for package installation

npx -y

FIX

Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.

FP?

Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.