First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
43
Score
77/100
Findings (43)
Detects patterns indicating sensitive data being sent to external services
Send tokens usingRestrict file reading to the project directory and block outbound network calls that include file contents. Implement file path validation to prevent directory traversal.
Likely FP if the tool legitimately reads project files and displays them to the user locally, without sending data to external services.
Detects patterns indicating sensitive data being sent to external services
Send tokens toRestrict file reading to the project directory and block outbound network calls that include file contents. Implement file path validation to prevent directory traversal.
Likely FP if the tool legitimately reads project files and displays them to the user locally, without sending data to external services.
Detects global installation of packages which affects the host system
npm install -g @Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.
Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @openindex/openindexcli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.