penfield

clawhub:penfield

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

MCP server auto-registration EXTDL_006

external-download L248

Detects automatic registration of MCP servers into agent configuration

Claude mcp add

FIX

Pin the curl/wget download to a specific URL with version and verify the downloaded file's SHA-256 checksum before using it. Prefer package manager installs over raw downloads.

FP?

Likely FP if the download is from a well-known canonical source (e.g., official GitHub release) and the documentation includes checksum verification steps.

LOW

npx MCP server without version pin MCPCFG_001

mcp-config L258

Detects MCP server configs using npx to run packages without version pinning

"command": "npx"

FIX

Pin the npx package in the MCP config to an exact version (e.g., @scope/server@1.2.3). Unpinned npx commands can silently fetch a compromised package version.

FP?

Likely FP if the MCP config is a local development setup example, though unpinned npx in production configs is a real supply chain risk.