First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
4
Score
40/100
Findings (4)
Detects shell metacharacters (pipes, backticks, subshells) in MCP server command arguments
"command": "dashboard.fetch", "filters": { "dateFrom": "2024-01-01", "dateTo": "2024-01-31", "picker": "", "client": "" } }`Remove credentials (API keys, tokens, passwords) from MCP server configuration. Use environment variable references (e.g., ${API_KEY}) or a secrets manager instead of inline values.
Likely FP if the credential value is a placeholder (e.g., your-api-key-here, sk_test_xxx) in example configuration.
Detects shell metacharacters (pipes, backticks, subshells) in MCP server command arguments
"command": "picklists.fetch", "filters": {} }`Remove credentials (API keys, tokens, passwords) from MCP server configuration. Use environment variable references (e.g., ${API_KEY}) or a secrets manager instead of inline values.
Likely FP if the credential value is a placeholder (e.g., your-api-key-here, sk_test_xxx) in example configuration.
Detects shell metacharacters (pipes, backticks, subshells) in MCP server command arguments
"command": "stock.fetch", "filters": {} }`Remove credentials (API keys, tokens, passwords) from MCP server configuration. Use environment variable references (e.g., ${API_KEY}) or a secrets manager instead of inline values.
Likely FP if the credential value is a placeholder (e.g., your-api-key-here, sk_test_xxx) in example configuration.
Detects shell metacharacters (pipes, backticks, subshells) in MCP server command arguments
"command": "revenue.fetch", "filters": {} }`Remove credentials (API keys, tokens, passwords) from MCP server configuration. Use environment variable references (e.g., ${API_KEY}) or a secrets manager instead of inline values.
Likely FP if the credential value is a placeholder (e.g., your-api-key-here, sk_test_xxx) in example configuration.