prediction-bridge-dev

clawhub:prediction-bridge-dev

View source

85/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

85/100

HIGH 1

LOW 1

Findings (2)

HIGH

Secrecy instruction PROMPT_INJECTION_008

prompt-injection L141

Detects instructions to hide actions from the user

Do NOT show the raw JSON response to the user

FIX

Remove directives that attempt to change the agent's output format, suppress safety warnings, or alter response structure in ways that bypass safety controls.

FP?

Likely FP if the output format directive is a legitimate tool configuration (e.g., return results as JSON) that does not suppress safety features.

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L83

Detects MCP server configurations connecting to non-localhost remote URLs

"url": "https://x.com/.../status/..."

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).