First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
4
Score
77/100
Findings (4)
Detects automatic registration of MCP servers into agent configuration
claude mcp add Pin the curl/wget download to a specific URL with version and verify the downloaded file's SHA-256 checksum before using it. Prefer package manager installs over raw downloads.
Likely FP if the download is from a well-known canonical source (e.g., official GitHub release) and the documentation includes checksum verification steps.
Detects automatic registration of MCP servers into agent configuration
claude mcp add Pin the curl/wget download to a specific URL with version and verify the downloaded file's SHA-256 checksum before using it. Prefer package manager installs over raw downloads.
Likely FP if the download is from a well-known canonical source (e.g., official GitHub release) and the documentation includes checksum verification steps.
Detects MCP server configurations connecting to non-localhost remote URLs
"url": "https://mcp.pond3r.xyz/mcp"Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.
Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).
Detects URLs fetched at runtime that control or influence agent behavior without pinning
Get latest**: `GET https:// + schemaAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.