First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
4
Score
92/100
Findings (4)
Detects skills fetching external URLs to use as runtime instructions
curl -o ~/.local/bin/plane https://raw.githubusercontent.com + CommandsPin the downloaded resource to a specific version or commit hash, and verify its integrity with a checksum (SHA-256). Avoid fetching scripts or binaries from arbitrary URLs at runtime.
Likely FP if the download URL points to a well-known CDN or package registry (e.g., npmjs.com, pypi.org) and is pinned to a specific version.
Detects references to raw.githubusercontent.com on mutable branches like main/master
raw.githubusercontent.com/JinkoLLC/plane-skill/main/Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.
Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.
Detects MCP server configurations connecting to non-localhost remote URLs
"url":"https://raw.githubusercontent.com/JinkoLLC/plane-skill/main/scripts/plane"Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.
Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).
Detects references to raw.githubusercontent.com on mutable branches like main/master
raw.githubusercontent.com/JinkoLLC/plane-skill/main/Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.
Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.